The General Data Protection Regulations (GDPR) [1] are EU-wide and apply from the 25 May 2018. GDPR allows greater control over personal data and takes into account the advances in new technologies and media which resulted in new categories of personal information, such as IP addresses or location settings from mobile devices. GDPR replaces the Data Protection Act 1998 [2] and many of the requirements of GDPR are similar to those you probably already have in place to satisfy the 1998 Data Protection Act. However, there are some extra requirements, such as documenting how you comply with the data protection principles. You must be able to demonstrate is that you continually review and record the types of personal data you process and justify why you have a legal right to process it. The Information Commissioner’s Office (ICO) has provided two relevant resources:
The Practice Support Manual Ethical Practice topic currently provides advice on complying with the Data Protection Act 1998 and a large part of this information is still relevant to fulfilling most of your obligations with regards to GDPR.
Disclaimer
This interim advice is based on resources from the Information Commissioner’s Office (ICO) website. Although every effort has been made to ensure the accuracy of this advice, SDCEP takes no responsibility for inaccuracies or omissions and does not accept responsibility for any loss, damage or expense resulting from the use of this information. Further advice on complying with GDPR can be found on the ICO website [3] and via the EU GDPR learning resource [4]. Your indemnity organisation may also provide information and resources to help you comply and be able to advise you regarding particular issues that may arise from GDPR implementation.