One of the biggest changes introduced by the GDPR is around accountability – a new data protection principle that says organisations are responsible for, and must be able to demonstrate, compliance with the other principles. Although these obligations were implicit in the Data Protection Act 1998 (1998 Act), the GDPR makes them explicit.
You now need to be proactive about data protection, and evidence the steps you take to meet your obligations and protect people’s rights. Good practice tools that the ICO has championed for a long time, such as privacy impact assessments and privacy by design, are now formally recognised and legally required in some circumstances.
Organisations that already adopt a best practice approach to compliance with the 1998 Act should not find it too difficult to adapt to the new requirements. But you should review the measures you take to comply with the 1998 Act, update them for the GDPR if necessary to demonstrate your compliance under the GDPR.