Under the Data Protection (Charges and Information) Regulation 2018, every organisation or sole trader processing personal information must pay the data protection fee to the ICO. This applies to everyone except those who qualify for one of the exemptions. Failure to register is a criminal offence so should be a priority for businesses. Note that domestic use of CCTV is not included in processing which requires a fee to be paid. From 25 May 2018, people who use CCTV for domestic purposes, i.e. to monitor their property, even if it films beyond the boundaries of their property will be exempt from paying...

Under the GDPR, both data controllers and data processors have compliance obligations and responsibilities. Processors for the first time have direct liability and may be subject to penalties and civil claims by data subjects for non-compliance with the terms of the GDPR.It is very important that controllers and processors clearly document their respective obligations and the GDPR creates a requirement for a contract to be in place between them, setting out specific terms that processor/controller agreements must contain, as a minimum.  This aims to ensure that processors only carry out processing as agreed with the controller and always in compliance with...

Under the GDPR, both data controllers and data processors have compliance obligations and responsibilities. Processors for the first time have direct liability and may be subject to penalties and civil claims by data subjects for non-compliance with the terms of the GDPR.It is very important that controllers and processors clearly document their respective obligations and the GDPR creates a requirement for a contract to be in place between them, setting out specific terms that processor/controller agreements must contain, as a minimum. This aims to ensure that processors only carry out processing as agreed with the controller and always in compliance with...

A new principle introduced by the GDPR is that of accountability. This requires data controllers to be able demonstrate their compliance and there are a number of ways that they can do this. Data Protection Impact Assessments (DPIAs) are one tool that under the GDPR must be used by organisations to identify and minimise the potential data protection risks of any new projects to be undertaken which involve the processing of personal data.Also key to GDPR is that organisations take a “data protection by default and design” approach to any activities involving data processing. DPIAs again help to achieve this by...

As we all know by now, the GDPR came into force on Friday 25th May 2018. For businesses based in Europe with employees and customers in the EU, this means unavoidable change. Changes to the way personal data is processed, changes to information to be given to data subjects, changes to internal governance, changes to the culture surrounding data protection within the organisation.  But what about businesses who are not based within the EU? Does the GDPR apply to them? What about non EU-based organisations who sell only occasionally to the EU?Article 3 of the GDPR states that its terms apply...