General Data Protection Regulation
The GDPR will replace the Data Protection Directive with effect from 25 May 2018. This change is intended to respond to new technological developments and to put in place a consistent framework for the protection of personal data.
It is expected that the UK will adopt a national data protection regime that is largely in line with the EU regime on leaving the EU. The European Commission has claimed that these changes will save businesses EUR2.3 billion a year although some commentators have raised questions about whether this will in fact turn out to be the case.
The changes are significant and organisations need to be planning for the changes now.
- Data must be processed fairly, lawfully and with transparency meaning individuals must be given more open explanations about how their data will be used.
- One of the means in which data can be lawfully processed is on the basis of individual consent. The consent requirements are considerably strengthened under the GDPR. Such consent has to be freely given and it must be easy to withdraw consent.
- A clearer statement needs to be given to job applicants and employees concerning how their data will be processed. This statement must be easy to understand and clearly set out the lawful basis on which their data will be processed. Further explanations must also be given for example about how to withdraw consent, for how long data will be stored, rights to complain etc.
- Enhanced rights include a package of around the “right to be forgotten”, the correction of data and limiting how data is processed – referred to as the right to “delete it, freeze it, correct it”.
- Data Protection Officer – every business (irrespective of size) has to have a DPO if large amounts of personal data are handled and has to be able to demonstrate compliance. DPOs will provide advice, be the point of contact for the Information Commissioner and monitor compliance.
- Data processors have specific duties and can be fined for breaches.
- The period for compliance with data subject access requests is “without undue delay” and in any event within 1 month (possible extension to 3 months).
- Removal of the £10 fee although if the request is excessive an employer can charge a reasonable fee or refuse to comply.
- Records have to be kept of processing activities.
The maximum penalty for non-compliance is the higher of Eur20m or 4% of worldwide turnover. Lesser breaches of the GDPR can incur fines up to Eur10m or 2% worldwide turnover.
Steps to Consider Now
- Identify all existing data systems and the personal data processed.
- Consider appointing a DPO.
- Review privacy notices and other fair processing information and ensure it is compliant with the new requirements.
- Review contracts of employment, handbooks and policies to see whether and how they deal with data protection (and in particular, how consent is sought).
- Establish a policy (with a timeline) for handling data breaches.
- Plan for staff training on data protection responsibilities.
- Develop and implement a policy on retention and storage of data, including emails, personal file information (including warnings) etc.
Further guidance is available from the ICO including their 12 steps in preparing for the GDPR booklet.
How can we help
Brachers and our HR consultancy service, Kent HR can support you in ensuring compliance with the new GDPR including contract, handbook and policy reviews, the provision of standard documentation and risk audits.
For further information please contact Catherine Daw on 01622 655291 or Veronica Fox on 01622 655294.