The Data Protection Act 2018, which enshrines the General Data Protection Regulation in British law, received royal assent yesterday, just two days before the GDPR is due to come into force.
The EU’s GDPR legislation, which comes into force tomorrow, will bring in stricter standards for when and how organisations, including charities, can contact people or process and store their data than are currently required under the Data Protection Act 1998.
It will also allow the Information Commissioner’s Office to levy fines of up to £17m, or 4 per cent of global turnover, on organisations that breach the rules.
The new act brings the GDPR requirements into UK law and extends it to cover legal areas for which the EU does not have oversight. It will remain in force even after the UK leaves the EU.
A government statement said the new law would make the UK’s data-protection laws fit for the digital age.
Elizabeth Denham, the Information Commissioner, welcomed the new law in a blog on the ICO website, saying her office was eager to embrace the changes it would bring and that it would give the UK one of the world’s more progressive data-protection regimes.
"The previous Data Protection Act, passed a generation ago, failed to account for today’s internet and digital technologies, social media and big data," she said.
Denham said the new act was not an end point, and preparations for the GDPR would not end tomorrow, 25 May.
"From this date, we’ll be enforcing the GDPR and the new act, but we all know that effective data protection requires clear evidence of commitment and ongoing effort," she wrote.
"It’s an evolutionary process for organisations – no business, industry sector or technology stands still. Organisations must continue to identify and address emerging privacy and security risks in the weeks, months and years beyond 2018."
The ICO would be available to help organisations manage the process and to offer guidance, she said.