DPA is starting point but there are new elements and significant enhancements under GDPR Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act (DPA), so if you are complying properly with the current law then most of your approach to compliance will remain valid under the GDPR and can be the starting point to build from. However, there are new elements and significant enhancements, so you will have to do some things for the first time and some things differently. It is important to use the 12 steps to take to prepare for GDPR and other Information Commissioner’s Office (ICO) resources to work out the main differences between the current law and the GDPR. The ICO is producing new guidance and other tools to assist you, as well as contributing to guidance that the Article 29 Working Party is producing at the European level. These are all available via the ICO’s Overview of the GDPR . The ICO is also working closely with trade associations and bodies representing the various sectors – you should also work closely with these bodies to share knowledge about implementation in your sector. It is essential to plan your approach to GDPR compliance now and to gain ‘buy in’ from key people in your organisation. You may need, for example, to put new procedures in place to deal with the GDPR’s new transparency and individuals’ rights provisions. In a large or complex business this could have significant budgetary, IT, personnel, governance and communications implications. The GDPR places greater emphasis on the documentation that data controllers must keep to demonstrate their accountability. Compliance with all the areas listed in this document will require organisations to review their approach to governance and how they manage data protection as a corporate issue. One aspect of this might be to review the contracts and other arrangements you have in place when sharing data with other organisations. Some parts of the GDPR will have more of an impact on some organisations than on others (for example, the provisions relating to profiling or children’s data), so it would be useful to map out which parts of the GDPR will have the greatest impact on your business model and give those areas due prominence in your planning process.
The ICO can take action to change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit. The ICO has the power to impose a monetary penalty on a data controller of up to £500,000.
Back to Contents
What is the General Data Protection Regulation (GDPR)? 11 July 2017
One of the top 5 questions asked by HR professionals in June was what is the General Data Protection Regulation?
Every month XpertHR analyses the most popular FAQs asked by HR professionals in the past month.
One of the other top 5 questions was will there be changes to the rules on obtaining consent to process personal data under the General Data Protection Regulation?
The EU’s General Data Protection Regulation (GDPR), which will be implemented in the UK in May 2018, updates the provisions of the Data Protection Act 1998 (DPA). The changes place greater obligations on organisations, with potential fines for breaches as high as €20 million or 4% of global turnover. Organisations need to act now to prepare for the potential changes to their systems and procedures.
Differences between DPA and GDPR In short, many aspects of DPA which are considered to be “best practice” will be identified as “requirements” in GDPR and, as such, are subject to compliance checks with penalties for non-compliance.
Also if a breach of personal data occurs and the organisation fails to notify the breach within defined timescales a maximum fine of €10 million or 2% of global revenue can be levied.
Below is an excerpt from the CIPP’s GDPR training course to give you an idea of some of the key differences between the Data Protection Act (DPA) and GDPR:
DPA Best Practice
GDPR Requirements
Governance
Management to demonstrate a
A data controller to be appointed who
The Chartered Institute of Payroll Professionals
Policy News Journal
cipp.org.uk
Page 43 of 516
Made with FlippingBook - Online magazine maker