General data protection compliance

The UK government has confirmed that the UK will be implementing the EU’s General Data Protection Regulation (GDPR) which comes into force from May 2018 when the UK will still be a member of the EU. Once the UK has left the EU it may look again in due time at whether to make UK specific adjustments. Click here for a GDPR overview.

This announcement follows the recent issue by the UK Information Commissioner’s Office (ICO) of a new code of practice, called ‘Privacy notices, transparency and control’ (the Code). The Code provides information to help data controllers meet the transparency requirements under the Data Protection Act 1998 (DPA) and the GDPR. The ICO has said that if you follow the Code’s guidance you are “well placed to comply with the GDPR regime.”

The Code covers all businesses processing personal data, and it includes advice and best practice examples on:

  • obtaining consent
  • what to put in the privacy notice, including how it should be written (a privacy notice checklist is available)
  • how to communicate privacy information to individuals
  • producing privacy notices for mobile devices
  • when to communicate privacy information
  • testing and implementing privacy notices
  • ensuring privacy notices are GDPR compliant

Currently, DPA breaches can result in fines of up to £500,000. Under the new GDPR regime however, fines of up to €20m or 4% of the company’s total worldwide annual turnover may be imposed.

It is therefore crucial that EU based businesses (and the UK) become familiar with the Code and make appropriate revisions to their privacy notices and procedures.

Further ICO guidance is expected in the run up to GDPR implementation in 2018.