The Data Protection Act 1998 is an Act of the Parliament of the United Kingdom that regulates the processing of personal data. The Act regulates how data can be used and how it should be stored.

The Data Protection Act 2018 has been designed to provide a clearer and more up-to-date set of rules for organisations to follow when processing personal data.The new legislation brings together the current data protection framework, which was made up of sector-specific legislation that has been in place since 1998, with some updates and changes.

The Record of Processing Activities serves to enable an organisation to have a clear picture, internally, of processing activities as well as providing evidence to authorities as how to data is being used.

Under Article 35(1) of the GDPR companies and organisations are required to conduct a Data Protection Impact Assessment where their processing activities are likely to result in high risk to the rights and freedoms of data subjects. The DPIA should be done BEFORE processing begins, in line with the principles of data processing by design and default

Almost three years into the GDPR, companies, by now, understand they have to be GDPR compliant but they don’t always know that if they are a Non-EU company falling under the scope of GDPR, that does not have an enterprise in the EU, they will probably need an EU representative to be in place, as provided by Article 27.

A temporary solution has been agreed between the UK and EU to allow data flows to continue for a period of up to six months following the United Kingdom’s departure. Data transfer arrangements currently in place will continue for this defined period while it is being decided whether the UK will be given ‘adequacy’ status.