Three years ago, one of the biggest changes to data protection legislation in our lifetime came into force in the UK.
The General Data Protection Regulation became legislation in 2018, bringing with it tighter rules for the gathering, sorting, and processing of personal data.
This month, our blogs will focus on information security, how GDPR changes things, and what penalties businesses and other organisations have faced for data breaches.
This week, we look at the three important pieces of legislation now governing information security in the UK:
The General Data Protection Regulation – This wide-ranging EU data protection legislation was brought into force in the UK during May 2018. If you run a business, charity, or other organisation in the UK, you must comply with it. GDPR set out seven principles which ensured that data is held safely and securely, it is held for a specific purpose, for no longer than is necessary, and that data is accurate. It also made businesses and organisations accountable for the way data was gathered, processed, and stored. GDPR gave data subjects new rights including the right to see what was held about them, to correct information, and to ask for it to be deleted. It also gave the regulator, the Information Commissioner, the power to impose larger fines than before for data protection breaches. The maximum fine rose from £500,000 to up to 4% of worldwide annual turnover, or 20 million euros.
The Data Protection Act 2018 – This legislation implements the UK’s version of GDPR and updates the Data Protection Act 1998. It sits alongside GDPR. One of the key updates is that this legislation now also covers paper files and records, not just those held on computers.