UK Data Protection Act to be replaced
As with the Data Protection Act,
the GDPR applies to personal data,
but the GDPR also applies to online
identifiers, such as an IP address.
The new General Data Protection Regulation (GDPR) is set to come into force in the UK from 25 May 2018, replacing the UK Data Protection Act 1998.
While the new rules are months away, it is wise for businesses to prepare in advance, to ensure they are compliant by next year.
The GDPR applies to those with a day-to-day responsibility for data protection – defined as ‘controllers’ and ‘processors’. Controllers say how and why personal data is processed and processors act on the controller’s behalf.
Processors have specific legal obligations under the new regulation – they are required to maintain records of personal data and processing activities. There will be significantly more legal liability if the processor is responsible for a data breach.
However, controllers are not relieved of their obligations if a processor is involved. The new regulation places further responsibilities on these controllers to ensure contracts with processors are compliant with the GDPR.
As with the Data Protection Act, the GDPR applies to personal data, but the GDPR also applies to online identifiers, such as an IP address.
For most organisations – those who keep HR records, customer lists or contact details, for example – the changes to the definition should make little practical difference, according to the Information Commissioner’s Office.
The GDPR applies to automated personal data and manual filing systems where personal data can be accessed according to specific criteria. This could also now apply to chronologically ordered sets of manual records that contain personal data.