Associate of healthcare law firm Hempsons Philippa Doyle explains changes coming into force with General Data Protection Regulation (GDPR).
The implementation of the GDPR on 25 May 2018 signals the largest overhaul of data protection since the 1998 Act.
Under the new Act you will need to:
- identify or recruit a Data Protection Officer if you carry out regular and systematic monitoring of individuals on a large scale, or your core activities consist of processing special categories of data
- review and update your policies and procedures and ensure all staff and volunteers are trained at least annually
- review consent – the requirement for valid consent has been raised to requiring ‘clear affirmative action’, and for sensitive personal data consent must be ‘explicit’
- update and prepare for new timescales for compliance with Subject Access Requests – the 40-day timescale is reducing to one month
- The purpose of the GDPR is to enact a single data protection law across Europe, to give enhanced rights for individuals, greater and more prescriptive obligations on those that process personal data, and serious consequences (fines of up to 4% of annual turnover) for non-compliance.
Even though we are leaving the EU, because we won’t have left by 25 May 2018, the GDPR will be applicable to us. And even after we leave, we will still choose to follow it, as it will assist organisations that continue to operate in and trade with EU countries.