UK data protection law will change on 25 May 2018 when the EU’s General Data Protection Regulation comes into force. The UK’s Information Commissioner (ICO) has described the change as the “biggest change to data protection law for a generation”. The GDPR will replace the Data Protection Act 1998 (DPA).

To prepare for the regime change, organisations should consider what personal data (PD) they hold on individuals, where it comes from, and who it is shared with. At present, bodies collecting PD should issue privacy notices identifying who they are, and how they use PD. In future, they will need to set out their legal right to process the data, how long they keep it for, and how individuals can complain to the ICO if they think the law has been breached.

The GDPR also gives people a new right to data portability, which could drive competition between cloud-hosting organisations which store photos, music, and files.

At present, organisations have 40 days to respond to a subject access request, and can charge £10. From next May, the right to make a charge is eliminated, and the 40 days are reduced to one month.

The GDPR reinforces the need to obtain positive consent for data collection, and introduces new protection for people under the age of 16.

It also extends the duty to report certain personal data breaches to the ICO, and in some cases to potentially affected individuals. Mandatory reports are required if the breach could lead to discrimination, financial loss, or loss of confidentiality. Organisations should put in place procedures to detect, report and investigate breaches.