The General Data Protection Regulation (GDPR) came into effect on 25 May 2018. This was enacted in UK law by the Data Protection Act (DPA) 2018 and replaces the Data Protection Act 1998. As of January 1 2021 all references to GDPR now refer to UK GDPR.
There are several major changes caused by this change. These include:
- individuals must be provided with more information when collecting their personal information
- there are new regulations surrounding gaining consent. Both consent and explicit consent now require clear affirmative action. In other words, options must be opt in not opt out
- data that has been used to complete its original purpose must be deleted. It cannot be reused for different circumstances unless the new purpose complies with the old one
- individuals can revoke their consent to data processing at any time. It must be easy for them to do so
- the data controller (in this case, ourselves) now has 72 hours to notify data breaches to the Information Commissioners Office (ICO). This is unless the breach is unlikely to result in a risk to data subjects. The ICO acts as the regulatory body for the United Kingdom
- there is a single national office for complaints. This is the ICO
- large data controllers (including ourselves) must appoint a Data Protection Officer
- if we don't comply with GDPR we could face a fine of up to $20,000,000 or 4% of our global annual turnover for the preceding financial year
We have policies in place to deal with your data fairly and security.
The UK left the European Union on 31 January and enter a Brexit transition period. During this period, which runs until the end of December 2020, it will be business as usual for data protection. We will continue to abide by the principles of the GDPR and DPA along with the guidance provided by the Information Commissioners Office.