The European Union’s General Data Protection Regulation is now law, as is the Data Protection Act 2018 that means that the provisions of the Regulation will be enshrined in UK law post-Brexit.

Firms should have carried out extensive work prior to the GDPR implementation date. They should have made sure that their privacy policies meet the new requirements; that procedures for obtaining consent for data processing are in line with GDPR obligations; that they are totally transparent with their customers about what data is collected and who it might be shared with; and their staff should have been trained on what the new law means in practice. Some firms may also have been required to appoint a dedicated Data Protection Officer.

However, just because firms may have done a lot of work preparing for GDPR does not mean that they can rest on their laurels now the implementation date has passed. In a blog on her organisation’s website, Information Commissioner Elizabeth Denham commented that the introduction of the new laws was “not an end point, it’s just the beginning.”

Ms Denham added:

“Effective data protection requires clear evidence of commitment and ongoing effort. It’s an evolutionary process for organisations –no business, industry sector or technology stands still. Organisations must continue to identify and address emerging privacy and security risks in the weeks, months and years beyond 2018.”

As well as stressing the need to identify and mitigate data protection risks in the future, her blog post also highlighted how the new law has increased the responsibility firms have to protect consumer data. Ms Denham commented:

“The legislation requires increased transparency and accountability from organisations, and stronger rules to protect against theft and loss of data with serious sanctions and fines for those that deliberately or negligently misuse data.”

Firms who breach data protection law can now be fined up to the greater of £17 million and 4% of global turnover.

Putting the customer first was a common theme of her blog post. GDPR and the 2018 Act give consumers new rights to view their data free of charge, and to request that data is amended or erased where appropriate.

On this subject, the Commissioner commented:

“The new laws provide tools and strengthened rights to allow people to take back control of their personal data.

“And although the ICO will be able to impose much larger fines – this law is not about fines. It’s about putting the consumer and citizen first. Telling people we can’t lose sight of that.”

Finally, Ms Denham emphasised that her organisation remains willing to assist firms to comply with their obligations, with considerable amounts of guidance and resources available on the Information Commissioner’s Office website.

In conclusion, Ms Denham said:

“Governed by these laws, organisations will have the incentive and the opportunity to put people at the heart of their data services. Being fair, clear and accountable to their customers and employees, organisations large and small will be able to innovate with the confidence that they are building deeper digital trust.”

The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware the facts, circumstances or legal position may change after publication of the article