The EU General Data Protection Regulation (GDPR) came into force on 25 May 2018, along with most of the provisions in a new Data Protection Act 2018 (including those provisions relevant to processing in the employment relationship). The previous Data Protection Act 1998 has now been repealed. The new data protection laws give people more control about how their personal data is used, shared and stored and they require organisations to be more accountable and transparent about how they use such data.
As well as producing a wide range of new and updated guidance for organisations to assist them with their GDPR compliance, which is all available on its website, the Information Commissioner’s Office (ICO) has launched a long-term campaign, “Your Data Matters”, to help people understand why their personal data matters and how they can take back control.
The ICO’s resources for organisations include:
- Guide to the GDPR
- More detailed guidance on specific GDPR areas, covering: determining what is personal data; the right to be informed; legitimate interests; consent; documentation; automated decision-making and profiling; data protection impact assessments (DPIAs); and children and the GDPR
- Data protection self-assessment toolkit
- GDPR FAQs
- GDPR myth-busting blogs
- Lawful basis interactive guidance tool
- Personal data breach reporting resources
- Guide to the data protection fee (see below).
The Data Protection (Charges and Information) Regulations 2018 also came into force on 25 May 2018 and they have introduced a new data protection charging structure for data controllers. There is no longer a requirement to pay the ICO a notification fee. Instead, there are three tiers of charges which apply unless all processing undertaken by the data controller is exempt. For very small organisations with no more than ten members of staff or which have a maximum turnover of £632,000, the fee is £40, organisations with no more than 250 members of staff or which have a maximum turnover of £36 million must pay £40 and larger organisations must pay £2,900. The fee is reduced by £5 for paying by direct debit.