Many people will have noticed a recent increase in e-mails from businesses and other organisations, asking them for permission to continue sending them e-mails, or using their personal data. This is because companies have been hurrying to ensure that they are in compliance with the new UK data protection regime, which consists of the GDPR, and the new UK Data Protection Act 2018 which received Royal Assent on 23 May 2018, and also comes into force on 25 May. The new Act repeals the existing Data Protection Act 1998 and revokes the secondary legislation made under the 1998 Act.

Organisations processing personal data have had two years to prepare for the entry into force of the GDPR, but some have left it very late to get their data protection house in order. The new data protection law makes a range of significant changes to the scope of the existing data protection framework. These changes include: enhancing transparency requirements, tightening the rules on consent; providing specific rules for consent by minors; expanding the scope of personal data and ‘special category’ (formally known as ‘sensitive’) data; and introducing data breach notification requirements. There are greater data subject rights, e.g. data portability and the right to be forgotten; increased legal responsibility for data processors; and the mandating of Data Protection Impact Assessments and the designation of an independent Data Protection Officer for some data controllers and processors, including those engaged in regular and systematic monitoring of data subjects, e.g. public area CCTV systems.