The Data Protection Act 1998, with its 8 key principles has been the mainstay of protecting personal data – often referred to as Personally Identifiable Information (PII) for almost 20 years and has served the British public well. This regulation remains extant until the new European data protection regulations (General Data Protection Regulations) appear.
GDPR will be with us on 25th May 2018 and all organisations processing PII need to be fully prepared. This means that not only will the technical, procedural and policy-based controls and measures need to be in place to safeguard personal data, organisations must also prove that those measures are effective.
A key element to GDPR is that there are higher and lower maximum administrative penalties: depending on the particular Articles being contravened this could lead to fines of up to €20 million or 4% of global annual turnover for the preceding financial year, whichever is the greater!