The Crown Commercial Service (CCS) has issued a guide to CCS suppliers about the actions which they must take in light of the implementation of the General Data Protection Regulation (GDPR). Under the GDPR, data processors will face direct legal obligations and can be fined by the Information Commissioner's Office for non-compliance. In addition, data processors will face claims for compensation if they fail to comply with their obligations.
The EU General Data Protection Regulation and the incoming Data Protection Bill (UK) will introduce a range of new liabilities into the data protection landscape. Data controllers have been warned of a corresponding increase in data protection claims under the new regulatory regime for some time. These warnings have largely focused on the level of fines and new data breach response requirements. However, the brewing perfect storm surrounding compensation claims should also be firmly on solicitors' radars.
The Crown Commercial Service has published a procurement policy note (PPN) in relation to the new data protection legislation that will be implemented shortly. The PPN highlights the fact that the EU General Data Protection Regulation now strikes a more even balance between data processors and data controllers and requires organisations to act immediately to ensure compliance. As the new legislation will apply to the wider public sector, other public bodies may wish to apply the principles of the PPN.
The recently announced Data Protection Bill (which will replace the existing Data Protection Act) will transpose the EU General Data Protection Regulation (GDPR) into UK law and will be applicable despite Brexit. The new enhanced regime will affect all businesses that process data relating to an identified or identifiable natural person. Companies need to be actively preparing to ensure that they are GDPR compliant by identifying what steps are needed to comply with the regime.
The extent to which the data subject access request (DSAR) regime will change under the EU General Data Protection Regulation and how this will affect employers is becoming clear. For example, the fee for responding to a DSAR will be abolished and the deadline for compliance will be reduced. While there will be some practical differences, an employer that has appropriate systems and procedures in place to deal with DSARs under the existing regime will not need to radically rethink its approach.