The General Data Protection Regulation (GDPR) intends to strengthen and unify data protection for all individuals within the EU and will come into force on 25th May 2018. The principles behind this new legislation remain largely unchanged from the existing Data Protection Act (DPA). From a UK perspective, you will recognise that much of the detail of the GDPR is similar to the DPA but there are some significant additions particularly related to data privacy.
- There are clear rules and definitions for terms such as 'processing' and 'consent to fit the size of each organisation';
- Significantly increased penalties will be introduced for non-compliance; and
- Some firms will be required to appoint a Data Protection Officer (DPO).
We’ve created this dedicated GDPR section to help you identify the key areas you’ll need to think about. Use the links below for our guidance on individual topics.
While the GDPR is closely related to existing Data Protection regulation, there are a number of areas that will need attention.
In particular, consideration needs to be given to the legal basis used for processing personal data. Historically, client consent has been almost universally accepted as the appropriate basis for this purpose, but in future, this will not necessarily be the case. The GDPR allows six legal bases for processing personal data, some of which may be appropriate for your firm to use. As well as consent, processing for the performance of a contract, for the need to comply with a legal obligation and for the purposes of legitimate interests are potential legal bases for the processing of personal data.