This overview highlights the key themes of the General Data Protection Regulation (GDPR) to help organisations understand the new legal framework in the EU. It explains the similarities with the existing UK Data Protection Act 1998 (DPA), and describes some of the new and different requirements.
When we started drafting this overview, the GDPR was on track to come into force in the UK on May 25 2018. The ICO had started to produce a set of guidance on GDPR, and this overview was to be the first substantive part of that. The result of the 23 June 2016 referendum on membership of the EU now means that the Government needs to consider the impact on the GDPR.
However, we still think it will be useful to publish this overview. This is because once implemented in the EU, the GDPR will be relevant for many organisations in the UK – most obviously those operating internationally. The other main reason is that the GDPR has several new features – for example breach notification and data portability. Therefore we thought it would still be useful to familiarise information rights professionals with the GDPR’s main principles and concepts.
With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations, and to consumers and citizens. The ICO’s role has always involved working closely with regulators in other countries, and that will continue to be the case. Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking to government to explain our view that reform of UK data protection law remains necessary.
This overview is for those who have day-to-day responsibility for data protection.