General Data Protection Regulation, or GDPR becomes law 25th May 2018. Going forward, what does this mean for your business?
What is GDPR?
The new General Data Protection Regulation (GDPR) sets out new rules for the handling of data. This may already be acknowledged as Data Protection; GDPR is set to replace this act. Therefore, businesses will need to alter the way in which they currently deal with personal details on employees and former employees and report any significant breaches.
What is the purpose of this change in the law?
It has become evident that the current statutory framework is not “fit for purpose” due to the increasing growth in the internet and online behaviour. Personal data is now being used in ways that were not foresaw when the Data Protection Act 1998 was first implemented.
Do I need to do anything?
Yes, GDPR will effect businesses of all sizes; implementing new legal requirements on employers because they fall into the category of “data controllers.”
Significant financial penalties will be imposed on employers should they breach the GDPR. This includes fines of up to €20 million or 4% of annual turnover, whichever is higher.
Therefore employers, if they have not done so already, should prepare for the following changes:
Detailed privacy notices
Under current Data Protection provisions, employers are required to provide employees and job applicants with a privacy notice informing individuals of certain information. Under GDPR, employers will now need to provide more detail, including:
- How long the data will be kept on the system for
- If the data will be transferred to other countries
- Information on the right to make a subject access request
- Information on the right to have personal data deleted or rectified
Restriction to consent
At present, employers tend to justify the processing of personal data on the grounds of employee consent. This approach has been widely criticised as there can be doubt as to whether or not consent is given freely in the employer – employee relationship.
The GDPR is expected to set out more prescriptive requirements when attempting to obtain consent. This means it will be more difficult for employers to rely on consent to justify processing.
New breach notification requirement
Article 31 of the GDPR provides that “in the case of a personal data breach, data controllers shall without undue delay” and no later than 72 hours after becoming aware of it, notify the personal data breach to the supervisory authority.
In the event that the breach poses a high risk to the rights and freedoms of the individuals, those in question will have to be made aware of this.
Data Protection officer
The GDPR makes it a requirement that organisations appoint a Data Protection Officer (DPO) in some circumstances.
Organisations must appoint a DPO if:
- They are a public authority
- Conduct large scale systematic monitoring of individuals
- Are involved in carrying out large scale processing of special categories of data or data that relates to criminal convictions or offences
DPO’s will be expected to:
- Advise on GDPR obligations
- Monitor compliance
- Liaise with the data protection authority
It is crucial that employers cooperate and understand the new GDPR regulations. Employers will need HR, legal, IT and compliance teams to take a united approach.
How can Employment Law Services (ELS) Help?
If you require employment law advice on any of the issues raised in this article, or any other employment issue give us a call today on 0370 218 5662. You can also find out more about our fixed fee HR packages here and fixed fee employment law packages here, or get in touch.