1 year to go until the "game-changing" new EU data protection law comes into force
The new EU General Data Protection Regulation will come into force in the UK on 25 May 2018 and, for various reasons, the Regulation (or something like it) is likely to remain a part of English law regardless of Brexit. The new UK Information Commissioner, Elizabeth Denham, was quoted in January saying "make no mistake, this one's a game changer for everyone".
Day one compliance is required. Businesses should now consider the issues and changes they will need to make and use the next twelve months to put them into effect, e.g. in terms of their procedures, systems and technology, in order to be ready. Some of these may involve substantial lead times, not least if transition is to be effected in an economical manner. The imminent arrival of the Regulation makes the ICO's list of 12 preparatory steps to take now even more pertinent. We summarise this below, with our own commentary.
Decision makers in your business need to know that important changes are coming, because of the impact on e.g. operational effectiveness, costs and risk. In the past, data protection has often been left to legal and IT teams but it should no longer be viewed as just a mild inconvenience. Rather, it should be on the agenda at board-level for all businesses and budget should be set aside for compliance.
An essential starting point will be to map your use of personal data, e.g. what you hold, why and where you hold it, how long it is kept for and who you share it with – and how the picture may look in 2018 and beyond. Only by having a reliable and up-to-date picture will you be in a position to start planning your GDPR compliance programme.