The 25th May 2018 has now come and gone and the GDPR has come into force.
While organisations prepared for GDPR, a separate Data Protection Bill was passing through Parliament. Reports were that this would not be ready until later in the year, however, following last minute developments through Parliament, the Data Protection Bill received Royal Assent on 23 May and came into force on 25 May as the Data Protection Act 2018 (“DPA 2018”), alongside the GDPR.
Most of the DPA 2018 provisions are now in force. The GDPR is directly applicable in the UK and the DPA 2018 looks to align the EU and UK regimes for when the UK leaves the EU. The GDPR allows derogations to be made in certain circumstances under national law, which the DPA 2018 sets out. Key differences under the DPA 2018 include protection for data protection that does not fall within EU law, for example, where it is related to immigration and provisions included to govern the ICO, as the UK’s supervisory authority.
Data protection compliance has never been a one-off process. As the ICO has been keen to emphasise, it is an ongoing and evolving process. It’s impacted by numerous statutes (including the Privacy and Electronic Communication Regulations 2003 which are currently under review). Organisations should ensure they are aware of the DPA 2018 provisions and review their processes and policies on an ongoing basis to mitigate the risks of falling foul of data protection legislation.