The Data Protection Act 2018 (DPA) is the UK’s implementation of the GDPR (General Data Protection Regulations). The law controls how personal information is used by businesses and other organisations. It was designed to protect the personal data and information relating to individuals and also boosts the individual’s rights and gives them more control over their information.
The law requires businesses that process/handle and store the information of their customers to overhaul their data management processes and practices so as to ensure that their internal procedures are compliant with the core data protection principles set out in the GDPR, relating to fairness, lawfulness and transparency of data processing.
Compliance is not optional
The advice that we are giving to our clients is ‘ignore the Data Protection Act/GDPR at your own peril’. Compliance is not optional and will be rigorously enforced by the Information Commissioner’s Office (ICO) which is the regulator and the body responsible for enforcing the DPA and issuing fines.
In my experience, many businesses have not treated the new law with the seriousness it demands and the ICO has expressed concern that many businesses appear not to be complying. The very clear message that is being communicated is that compliance must now be taken seriously. Furthermore, it will also be critical for businesses to ensure that compliance with the law is embedded at a deeper level, by ensuring that data protection becomes part of the culture of the organisation.
What is also clear, is that there is increased privacy awareness among consumers and internet users. Individuals have become increasingly aware of their data protection rights and this heightened awareness is likely to result in more requests from individuals to exercise their rights and submit complaints to businesses. This may ultimately lead to increased investigations and enforcement actions by the ICO.
Information Commissioners Office warning
The ICO have suggested that they intend to intensify their enforcement activities over the coming months. The maximum fine for a business is 4% of annual (global) turnover or ‘20 million euros’, whichever is the greater. The ICO can also take a range of other actions, including imposing a temporary or permanent ban on data processing, which in many cases could bring a business to its knees.
In light of this, it is vital that businesses ensure that they understand their legal obligations and prioritise compliance. It will take time and effort to ensure the necessary practices and documents are in place in your business to demonstrate compliance.