The Data Protection Act 1998 requires every organisation that processes personal information to register with the Information Commissioner’s Office (ICO), unless they are exempt. Failure to do so is a criminal offence.
Unless one of the exemptions applies, individuals should generally be able to choose whether or not their personal data is disclosed to another organisation. If your intention to disclose information in this way was not made absolutely clear at the outset, at a time when the individual had the option not to proceed in their business relationship with you, then you will usually have to get the individual’s consent before making such disclosures.
Businesses need to prepare now to ensure they will be compliant with changes to data protection laws when the General Data Protection Regulation (GDPR) comes into force on 25th May 2018.
The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.
We suggest you visit the Information Commissioner’s Office website. This includes practical guidance, including:-
A. Overview of the GDPR. This is for those who have day-to-day responsibility for data protection.
B. The 12 steps to take to prepare for GDPR. This has been relaunched, with updated guidance and with increased focus on the need to act now to prepare for May 2018. The steps start with:
You should make sure the decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have and identify areas that could cause compliance problems under the GDPR. It would be a useful start to look at your risk register if you have one.
- Information You Hold
You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit across your organisation.
The GDPR requires you to maintain records or your processing activities. If you have inaccurate personal data and have shared this with another organisation, you will have to tell the other organisation so it can correct its records.
C. Getting Ready For the GDPR. This is a checklist divided into Steps.
The GDPR will significantly increase the maximum fines, so compliance needs to be taken seriously.
You need to start looking at how to comply now before it is too late.