GDPR - six months on

GDPR - six months on

There are a number of tricky issues that employers are grappling with following the introduction of new data protection rules.

With potential fines of up to €20,000,000 or 4% of annual worldwide turnover for breach of the General Data Protection Regulation (GDPR), the stakes are high for employers to understand the new regime and act accordingly.

Subject access requests

GDPR has made it easier to make Subject Access Requests (SARs). Previously employees would have had to pay £10 and employers had 40 days to respond. The £10 fee was waived by the introduction of GDPR and a fee cannot be charged unless the request is ‘manifestly unfounded or excessive’. The 40 day time limit has been reduced to ‘as soon as possible’ and, in any event, within one month.

Due to the increased public awareness there has been an increase in the number of SARs received and due to the waiving of fees and reduced response time there is a greater burden on employers.

When dealing with SARs employers should:

  • Ensure staff know how to recognise a request (requests can be made orally, electronically or in writing).
  • Ensure that the request is made by the data subject – are there any reasonable doubts on identity? If so this needs to be verified.
  • Scope the extent of each request upon receipt – if it is particularly complex, consider requesting further information from the individual as to what information it is they are looking for.
  • Note that if the same personal data is repeated in various places it only needs to be provided once
  • Note that there is no obligation to replicate data that is not personal data e.g. confidential information or financial information when responding to a request.
  • Be aware of inadvertent disclosure of personal data about others. Make sure you review and (if necessary) redact all such data about others.

Data breach reporting

GDPR introduced the requirement to notify data breaches to the Information Commissioner’s Office (ICO) and since GDPR came into force there has been a rapid rise in data breach reporting, with about 500 data breaches being reported to the ICO each week.

In recent weeks the hotel group Marriott has reported what may be one of the largest data breaches to date in that it affected the records pf up to 500 million customers globally.

There has been a marked increase in the number of complaints being made to the ICO, perhaps reflecting greater awareness among data subjects of their rights and increased concerns over data privacy and security. The ICO received over 6,000 complaints in the first three months since GDPR came into effect, a 160% increase over the same period in 2017.

Brexit

There is still uncertainty surrounding Brexit however Government guidance as of September 2018 states that “if the UK leaves the EU in March 2018 with no agreement in place regarding future arrangements for data protection, there would be no immediate change in the UK’s own data protection standards. This is because the Data Protection Act 2018 would remain in place and the EU Withdrawal Act would incorporate the GDPR into UK law to sit alongside it”.

This provides reassurance that work carried out to comply to GDPR standards has not been a waste of time and UK organisations will still be able to send their data freely to the EU without changes but there is still uncertainty as to whether EU data will be able to flow freely to the UK and this is likely to be an issue that will be considered within the coming months.

Conclusion

There is much more to come from GDPR as we are still in the early stages but the main theme to take from the above is that data protection compliance is increasingly important for all businesses.

Brachers can support businesses by providing advice on GDPR and other Employment Law matters. Please do contact us for further advice.