You may not have heard of GDPR. But if you haven’t, you soon will. This is the new European General Data Protection Regulation. It governs how you store, manage and process personal data. This includes data on your staff (e.g. HR records), your customers and your marketing target lists. It changes quite a lot regarding the storage, sharing, maintenance and definition of personal data, including manual records and a range of other items – for instance an IP address may be regarded as personal data under GDPR, which it isn’t under the existing UK Data Protection Act.
And don’t imagine that just because it’s a European Regulation we can ignore it with Brexit heading our way in a couple of years – the UK government has said Brexit will not affect the commencement of this Regulation which is likely to be in force before the UK leaves the EU anyway. You can find an overview of the impact of the GDPR at the website of the UK Information Commissioner’s Office (ICO).
The Regulation was enacted in May 2016 and will come into force across the EU on 25th May 2018. Since the UK government has said it’s going to trigger Article 50 of the Lisbon treaty to leave the EU at the end of March 2017, and this allows for a 2-year process, the UK is unlikely to leave the EU before April 2019, so GDPR will have been in force for almost a year by then. And even after that if UK companies want to continue to trade with people and businesses in the EU they will have to manage and store data in accordance with the provisions of GDPR whether or not the UK government enacts GDPR in equivalent UK legislation. Because the UK ICO sees international consistency around data protection laws as crucial, it’s likely that whatever UK data protection legislation is put in place post-Brexit will be at least equivalent to the GDPR.
There are a number of areas affected. We will be looking at these in turn in subsequent posts, but it’s worth starting to find out about GDPR and its consequences now. For example if you’re in the process of restructuring and auditing your data before moving some or all of it into the cloud, you should be considering the provisions of GDPR in that data governance exercise so that you have to go through it only once.