The UK Data Protection Act 2018 (Incorporating The GDPR) is a compliance law intended to strengthen data protection for individuals across the EU. The DPA replaces the 1995 data protection directive and changes the way organisations must handle the personal data / information of EU residents.
The DPA will impact every entity that holds or uses personal information of EU residents regardless of whether this information is hosted within or outside of the EU.
The new Law has introduced widespread changes to current law and will greatly increase financial sanctions for non-compliance (up to 4% of annual worldwide turnover for groups of companies).
The Law has been enforced since 25th May 2018 and organisations are required to implement all the necessary changes to their systems and operations to meet the new compliance rules. With a greater emphasis on transparency and accountability for the processing and protection of data and how organisations demonstrate their compliance, the DPA should not solely be viewed as an information security issue but a fundamental business and governance challenge.
Adherence to the GDPR is not optional and should be adopted, verbatim by each EU country; there shall be no country specific interpretations. According to a recent survey of senior business leaders, many UK business are still unsure when it comes to the application of the Data Protection Act (GDPR) in their organisation. But despite its regulatory impact the DPA should also be viewed by all businesses as a benchmark of quality. In a competitive market place where customer loyalty and retention is key, organisations that demonstrate compliance with the DPA are more likely to maintain the trust, respect and loyalty of their customers.
Data Protection Authorities across the EU not just the UK have received thousands of complaints and breach notifications, and the first fines, penalties and sanctions are being imposed. Registration fees fund the Information Commissioners Office (ICO) whilst all other fines and penalties flow straight to HM Treasury!
All organisations, companies and sole traders that process personal data must payan annual fee to the ICO unless they are exempt. Fines for not paying can be up to a maximum of £4,350. The money collected from the data protection fee funds the ICO’s work to uphold information rights such as investigations into data breaches and complaints, our popular advice line, and guidance and resources for organisations to help them understand and comply with their data protection obligations.
Fines for non compliance are shown below - Not complying with the Data Protection Act can also put the viability of your business and the future of your company at serious risk. Do you really want to be the only one who doesn’t comply with a Law which is mandatory in the whole European Union? If we add to all this any claims made by users affected by your infraction or possible complaints from any corporate or economic operator, believe us: flouting the regulation will end up affecting you more than you could ever imagine. And, make no mistake: it won’t be worth it.
It is vital that decision makers and key people in your organisation are aware of and understand the impact that The Data Protection Act 2018 (Inc GDPR) will have on the business and employees.
If your CCTV system captures images of people outside the boundary of your business property the Data Protection Act 2018 will apply to you.
When you collect personal information, you have to give people certain information in return, your identity, how the information is used, explain the lawful bases for processing the information, retention periods and that individuals have the right to complain to the ICO.
Procedures should be adopted to effectively detect, report and investigate a personal data breach. Depending on the type of breach, you are required to notify the ICO and the individuals effected.
You must not keep personal information for longer than is necessary. If the business no longer needs the information the individuals has the right to erasure (deletion).
The safe storage and access of information is vital for Data Protection compliance. This applies to all systems employed, laptops and all mobile devices used by the firm.
A request can be made to any employee in the organisation and not necessarily in the format you wish. The Organisation will have one calendar month to comply and usually cannot charge for this service.
Individuals have increased rights regarding how their information is held and used. They now have a right of access to this information. It is imperative that your business understands these rights and how to recognise and handle such requests from individuals.
Those businesses that trade with the European Union will have to designate a suitable representative based in the EU. To handle all necessary liaison relating to GDPR compliance.
You must (mandatory) have a valid lawful basis in order to process personal information, which basis is most appropriate to use will depend on your purpose and relationship with the individual.
It is mandatory that you document what personal information you hold, where it comes from and who you share it with. GDPR (Art 30) requires you to maintain records of your processing activities.
Such as Racial, Political, Religious, Genetic data, Trade Union membership, Sex or Sexual Orientation should only be processed under certain circumstances.
"From our first meeting to the delivery of all policies, documentation and improvements to business procedures, the process was very simple and painless. After the initial information gathering meetings TWI handled all the production, answered all our questions we had clearly and promptly and importantly to ourselves kept to their plan and timeframe for compliance "completion".
"We did utilise TWI for further training and general awareness for all staff of the business, vital in relation to subject access requests"
MLR Career Step, Professional Recruitment
2nd Review goes here
TWI is an experienced provider of the Data Protection Act 2018 (GDPR) and (PECR) compliance services. Experienced in dealing with SME's and from Charities to large FTSE 100 Organisations.
At TWI we give honest, straight forward and independent advice that helps customers navigate an increasingly complex and regulated digital business world.
We provide a clear business plan to compliance, with a flexible and cost-effective approach that suits all sizes of organisation. With almost 30 years’ experience at the heart of the rapidly evolving business environment, TWI has established a position as a leading advisor to high profile clients from the private & public sectors, including retail, professional, financial and leisure organisations.
Oops! Something went wrong while submitting the form
It is vital that decision makers and key people in your organisation are aware of and understand the impact that The Data Protection Act 2018 (GDPR) will have on the business and employees.