It’s a date that’s been in everyone’s minds for some time whether it’s because you’re a business targeting it as the deadline to complete your GDPR compliance project, or a consumer being bombarded by “we need to re-seek your consent” emails. The 25th May is here – the day the EU’s General Data Protection Regulation (GDPR) comes into force.
It impacts any business or organisation operating in the UK that is processing personal data, and updates the previous EU Data Protection Directive from 1995 to a more modern era of data processing (big data, powerful data analytics, social media, etc.) – to put that in perspective, in 1998 when the Data Protection Act was introduced (implementing the Directive), there was no Facebook, and Google had just been founded.
Whilst some of the areas of data protection have been updated (e.g. no fee now for subject access requests, a clearer more transparent approach to consent (when you need it), etc.) in principle (indeed the Principles of data protection) are generally unchanged.
As for the UK? Well we’ve got a new Data Protection Act 2018 which received Royal Assent yesterday and is now the UK’s new law, adopting the GDPR, ready for a post-Brexit approach to data protection (and presumably an attempt to convince the Europeans that post-Brexit we can still be trusted with EU citizens’ data).
So, if you’ve been working hard on your compliance, getting your consent messaging right, making sure you’ve updated your privacy notices and trained your staff, congratulations, you’ve made it. But, the work doesn’t stop here – the Information Commissioner, Elizabeth Denham, recently said the 25th May is not the end for your GDPR journey, it’s the beginning.
This is true – just as the Data Protection Act 1998 has been law for 20 years and applied to everyday processing of personal data, so will the new 2018 Act and the GDPR; your compliance continues past today and so it’s important for you to keep on top of compliance within your business or organisation, whether that’s dealing with ongoing compliance challenges, dealing with newly empowered customers wanting to know how you’re using their data, or paying attention to any regulatory changes, new ICO guidance or direction or indeed the new raft of other regulatory challenges (Brexit could impact data protection compliance; a new ePrivacy regulation could change marketing consent, cookie consent, etc. as could case law and enforcement).
So, good luck – there’s still work to be done!