If you have not yet heard, there is going to be a new legislation regarding data protection. As of May 2018 the General Data Protection Regulation (GDPR) will be put into action.
The EU’s General Data Protection Regulation (GDPR) is the result of four years of work. This new legislation will replace the Data Protection Act 1998. It has been designed to regulate how companies protect EU citizens personal data.
All companies that are already in compliance with the current Data Protection Act must ensure that they’re compliant with the new General Data Protection Regulation or else they will face fines and penalties. As well as tougher fines, the new regulation will also give people more say over what companies do with their data. The other cause of this new legislation is that the data protection rules will more or less be consistent throughout the EU.
So, GDPR will apply to the ‘controllers’ and ‘processors’ of data. A controller states why and how personal data is processed and a processor is somebody who does the actual processing of the data. The controller could be an organisation like a business/charity and a processor could be their IT Support company. It is the controllers responsibility to ensure that the processor abides by the new data protection law. Even if these controllers and processors are based out of the EU the regulation still applies to them.
ICO have put together a guide on how you can prepare for the General Data Protection Regulations.