The new General Data Protection Regulation (GDPR) comes into effect in May of 2018, taking the place of the existing Data Protection Act (DPA) in the UK. Our recent public sector event, with a guest speaker from the ICO and participants from across the London area, discussed what this particular piece of legislation means for the public sector, in particular.
Much more prescriptive than the DPA, the GDPR greatly expands a number of sections of the current legislation, including the tightening of requirements related to the fair processing of notices, consent and individual rights to privacy. If you work as an information management professional in the public sector and you haven’t yet started thinking about (and preparing for) the GDPR, now’ s the time to do so. If your organisation isn’t prepared when it comes into effect, you could be at risk for increased fines.
Grabbing the headlines is that the fining regime is much more rigorous. These fines must be decided by the member states. In any case, the most stringent fines will be given when a company loses personal data.
There are some special considerations around the GDPR for the public sector, but the biggest part of staying in compliance with the GDPR and other data privacy regulations is to ensure you both know the legal basis for everything you do and also can prove that you have this legal basis when it comes to processing personal data. As the burden of proof shifts onto the data controller to prove compliance, public authorities can no longer rely on a “legitimate interest” condition for processing personal data.
The resounding message from the ICO was, if you’re currently following best practices for information protection and DPA compliance, you’re probably in good shape with the new rules, you just need to ensure that you are following the more explicit instructions. Understanding the intricacies of the GDPR is of the utmost importance. Don’t get left behind. Contact our Professional Services team for expert advice.