New EU General Data Protection Regulation will apply to all businesses processing personal data regardless of Brexit
The Data Protection Act is set to be replaced by the EU General Data Protection Regulation (GDPR) in 2018 to better protect privacy and personal data.
The changes, which will come into effect on 25 May 2018, will affect any business which processes personal data, such as those operating in retail, wholesale, ecommerce, and marketing – regardless of the outcome of the EU referendum.
In short, if you hold data on individuals, you are likely to be affected and will be required to comply with the new regulations, which will include new measures and procedures for handling this type of information, or face hefty penalties.
Perhaps the main – and most significant – change is that organisations handling a large amount of data, or particularly sensitive data, must appoint a dedicated data protection officer.
Secondly, the purpose for the data being collected must be made clear at the outset and organisations must delete data once it’s no longer being used for that purpose.
The subject whose data has been collected will now also have the right to request that it’s erased.
Finally, all businesses in the EU must be compliant, as must firms trading with organisations within the EU.
When the regulations come into force in 2018, the UK will still be part of the EU and therefore required to adhere to the new directive.
If and when the UK leaves the EU, the new Act will still form the basis for the UK to rewrite its own version. And if UK companies continue to trade in EU markets, they will still need to adhere to the EU regulations. Either way, all businesses are required to get on-board regardless of Brexit.