The General Data Protection Regulation (GDPR) applies detailed provisions to ensure that personal data – i.e. any data relating to an identifiable person – is properly processed and kept secure, and imposes a significant compliance regime on those who hold such data.
Key to the GDPR is the concept of 'data protection by design', so that data protection risks are considered at all steps of data handling and storage.
The GDPR builds on the existing data protection principles, as set out in the Data Protection Act 1998 (which has now been updated with a broader and stricter Data Protection Act 2018), but also makes significant changes, imposing stricter rules concerning the holding and management of data and also the use of personal data for commercial purposes. There are substantial rights given to individuals as to how information about them is collected and held.
The key principles are that the processing of personal data must be lawful, fair and transparent. This means that only the minimum necessary amount of personal data must be collected and only for specified, explicit and legitimate purposes. The data must be accurate and kept up to date, with access to it and use of it restricted to only those personnel who are necessary for the purpose, and it must be retained for no longer than is necessary and kept secure.
The most significant addition is the 'accountability principle', whereby data controllers must keep records to demonstrate how they comply with the data protection principles – for example by documenting the decisions taken about a processing activity.
The ICO's office has published a guide and checklist for complying with the GDPR. The requirements are substantial for organisations of all sizes and the potential fines for failure to adhere to data protection law are extremely severe.