What employers need to know about the new General Data Protection Regulations
The introduction of General Data Protection Regulations (GDPR) is the biggest shake up in data protection and privacy rules in 20 years and you need to make sure your business is prepared.
What is GDPR?
Despite Brexit, the UK is going to implement GDPR and they will come into force on 25 May 2018. It is the new regulation covering data protection and the use of personal data by businesses across the EU. It replaces the Data Protection Act 1998.
The regulations will apply to all companies processing personal data and in particular those businesses offering goods and services and monitoring behaviour, within the EU (or in relation to an EU national outside the EU).
The philosophy behind GDPR is that data relating to individuals (Data Subjects), belongs to the individual and not the person controlling or processing the information.
Significant penalties can be imposed on companies for not complying with GDPR, including fines of up to €20 million or 4% of the annual global turnover of the company, whichever is greater. Employers should prepare for the following changes to avoid being subject to the new enforcement penalties.
Under GDPR, employers need to provide employees and job applicants with more detailed information in relation to their personal data, such as:
- How long the data will be stored for;
- Whether the data will be transferred to other countries;
- Details on the right to make a subject access request; and
- Information on the right to have personal information deleted or rectified.
GDPR creates more prescriptive requirements for obtaining consent to hold personal data than the Data Protection Act 1998. Companies must get consent from an individual before processing and holding personal data. Any request for consent must be intelligible and easily accessible using clear and plain language.
Should there be a serious breach of personal data under GDPR, a breach notification must be provided to the data protection authority within 72 hours. However, notification does not need to be made if the breach is unlikely to result in a risk to the rights and freedoms of individuals.
Data Protection Officers
A Data Protection Officer (DPO) is a new role created under GDPR. DPOs will have responsibility to maintain certain documentation and to conduct a data protection impact assessment for riskier processing. A DPO must be appointed where:
- processing is carried out by a public authority; or
- there are regular, systematic monitoring of data subjects on a large scale.
The DPO will be centre of data protection and will be responsible to Data Subjects.
How can employers prepare now?
Co-operation and understanding of the new GDPR within a company is crucial. It will require a combined approach from a number of departments, such a, HR, IT and compliance.
From an HR perspective, employers should:
- carry out a data audit and assess the current HR data they hold;
- review their current privacy notices and update them in order to comply with GDPR;
- check if the consent to process data meets the GDPR requirements; and
- determine whether or not a DPO must be appointed.
Now more than ever Data Protection is a general regulatory duty for all businesses. It is inappropriate to regard it as being a concern of the IT or HR departments. Businesses must also consider personal data that is processed on behalf of customers and third parties, as well as employees.
We are offering bespoke training for businesses on the new General Data Protection Regulations. If you are interested in this or would like to discuss points raised in this blog, then contact us on 0161 926 9969 or by email on firstname.lastname@example.org.
Don’t forget to follow our twitter page @HRGuruUK for regular updates on Employment Law.