General Data Protection Regulation (GDPR)
This month will see the General Data Protection Regulation (GDPR) come into force on 25 May 2018, replacing the Data Protection Act 1998.  It will be made into UK law through a new Data Protection Bill soon after.

The purpose of the GDPR is to protect the rights and freedoms of individuals and ensure that personal data is not processed without their knowledge, and wherever possible, is processed with their consent.

While the GDPR is an evolution of current data protection laws which architects should already be compliant with, it’s important to be mindful that it introduces new accountability and transparency obligations in respect of how personal data must be handled.

How to prepare for the GDPR
What you will need to do to remain compliant with the law will vary depending on the type and amount of personal data you currently hold, your uses of it, the current systems you already have in place, the size and nature of your practice and your responsibility within it.  Establishing your situation in these areas should be a top priority, bearing in mind that it’s likely even the best run practices with the lowest risks will need to make some changes to its processes.

It follows that the compliance guidance each architect should follow will also vary. The Information Commissioner’s Office (ICO) provides useful guidance, including a 12 step guide to compliance and data protection checklists.

Regulator
The ICO is the organisation responsible for upholding compliance with GDPR.  While the Commissioner has made clear that her first priority is to assist organisations in meeting the requirements of the data protection laws, it should be noted that the new legislation provides the regulator with the power to issue substantial fines where serious breaches have occurred.

Guidance on how the ICO expects compliance with GDPR continues to be published. You can stay updated on the latest information here.