GDPR – what next after 25 May 2018?

GDPR came into force on 25 May 2018, but what happens now? It doesn’t mean we can forget all about the GDPR and relax. As the Information Commissioner has said, it’s an evolutionary process not a one-off.

It’s not just about the GDPR

There is the new Data Protection Act 2018 :

The DPA 98 has been replaced (wef 25 May 2018) by the Data Protection Act 2018 (DPA 2018) and incorporates all of the GDPR and various other provisions.
The Information Commissioner’s Office (ICO) is in the course of preparing updated guidance on what this will mean in practice.
A new fee structure is also in place, although if you have already paid for this year you will not have to pay the new fee until you renew.

Privacy and Electronic Communications Regulations will be changed too:

The 2003 Privacy and Electronic Communications Regulations (PECR) are due to be revised. PECR sit alongside the DPA 2018 and the GDPR. They give people specific privacy rights in relation to electronic communications with rules on marketing calls, emails, texts and faxes as well as cookies (and similar technologies).

GDPR is not a one-off event

Quite simply no organisation can say it is ever fully DPA 2018 / GDPR compliant as:

Compliance requires that all policies, training and procedures are reviewed and updated on a regular basis.
If you change your processes, your IT service providers, or your service offerings then you will need to ensure that the changes are DPA 2018 / GDPR compliant.
Cyber and physical security arrangements should also be reviewed on a regular basis, not just when new IT equipment is installed.

We don’t know all the answers regarding the GDPR

There are still a number of divergent views on key areas – in some respects there are no right answers just a variety of approaches.
The ICO is continually updating its guidance and refining its approach. This means how the ICO will interpret the DPA 2018/GDPR will emerge over time.
The European Data Protection Supervisor (previously the Article 29 Working Party) is also expected to issue further guidance and interpretation.
We don’t yet know how the ICO will view breaches and the level of fines and types of sanctions it will impose.
We also don’t know the impact of Brexit – will the EU Commission agree that the DPA 2018 is ‘adequate’ and if not what mechanisms will be in place to ensure ‘frictionless’ transfer of personal data between the EU and the UK post Brexit?

How can I keep up?

Keep a wary eye on the ICO website as it will be updated on a regular basis. Further guidance is expected on the DPA 2018,deletion policies, contracts and encryption to name a few.
Read our blogs and join in the discussion on Talk Accountancy and IT Counts. Our blogs will offer tips and commentary.
If you have any specific questions then please contact our Technical Advisory Service.

What is ICAEW doing to help you?

We plan to update our existing FAQs and Helpsheets to cover the issues that members tell us are problematic and to reflect new guidance from the ICO.
Updating our GDPR and Data Protection webpages on a regular basis
We will offer our thoughts on recent developments and some practical tips via blogs, and webinars. We will also continue to publish articles in practice wire - the next one is A GDPR Starter for 11: How can I ensure ongoing compliance?
We are also in dialogue with the ICO and other professional bodies to share experiences and (hopefully) agree a common approach.

Benefits of membership

Becoming a member

Pay fees and subscriptions

Member rewards

Support throughout your career

Member Insights Survey

Digital learning materials via BibliU

Take a look at ICAEW training films

Volunteering roles

Advertise with ICAEW

"How to guides" for ACA students

Exam resources

Digital learning materials

My online training file

Student Insights

UK groups and societies

Worldwide support and services

Strengthening trust in the profession

Regulatory applications