General Data Protection Regulation (GDPR): an employer’s guide Despite Brexit, the UK will implement the General Data Protection Regulation (GDPR) when it comes into force on 25 May 2018. Peter Lawrence from Human Capital Department discusses significant changes employers need to be aware of – including a new penalty regime – and next steps you need to take.
The GDPR harmonises data protection laws across the EU, including the UK, and updates the current legislation to take account of trends towards globalisation and the ever-changing technology landscape.
Who has to comply?
It will apply to any company processing the personal data of individuals in relation to offering goods or services, or to monitoring their behaviour & includes employers use of personal data of employees.
Significant penalties can be imposed on employers that breach the GDPR, including fines of up to €20 million or 4% of annual worldwide turnover, whichever is greater.
Employers should prepare for the following changes to avoid being subject to the new enforcement penalties.
More detailed privacy notices
Under the current law, employers are required to provide employees and job applicants with a privacy notice setting out certain information. Under the GDPR, employers will need to provide more detailed information, such as:
· how long data will be stored for;
· if data will be transferred to other countries;
· information on the right to make a subject access request; and
· information on the right to have personal data deleted or rectified in certain instances.
Restrictions to consent
Currently, many employers justify processing personal data on the basis of employee consent. This approach has been increasingly criticised because there is doubt as to whether or not consent is given freely in what is often a master- subordinate employer-employee relationship. Employees will now be able to withdraw their consent at any time.
New breach notification requirement
The GDPR imposes a new mandatory breach reporting requirement. Where there has been a data breach (such as an accidental or unlawful loss, or disclosure of personal data), the employer will have to notify and provide certain information to the data protection authority within 72 hours. Where the breach poses a high risk to the rights and freedoms of the individuals, those individuals will also have to be notified.
Data protection Officers
All public authorities and those private companies involved in regular monitoring or large-scale processing of sensitive data will need to appoint a data protection officer to:
· advise on GDPR obligations;
· monitor compliance; and
· liaise with the data protection authority.
What steps do I need to take now?
Co-operation and understanding of the new GDPR obligations across the business is critical and organisations will need HR, legal, IT and compliance teams to take a combined approach.
The most important steps for HR to take now include:
1. Carry out a data audit. Carefully assess current HR data and related processing activities and identify any gaps with the GDPR.
2. Review current privacy notices and update them to comply with the more detailed information requirements. All information provided must be easy for employees and job applicants to understand.
3. Assess the legal grounds for processing personal data. Where consent is currently relied on, check whether or not it meets GDPR requirements and remember that consent may be revoked at any time.
4. Develop a data breach response programme to ensure prompt notification. Allocate responsibility to certain people to investigate and contain a breach, and make a report. Train employees to recognise and address data breaches, and put appropriate policies and procedures in place.
5. Determine whether or not a data protection officer must be appointed and, if so, think about how best to recruit, train and resource one.
To find out more:
Peter Lawrence from Human Capital Department will be doing a series of short [20 minute] talks about the forthcoming changes to the Data Protection Regulations [GDPR] which will come into force in May 2018.
These “4-Sight” 20 minute talks are part of the 4N Networking Meetings forum and visitors are welcome to attend, although do need booked in advance – there is a charge to attend of £15 to cover the cost of the Breakfast [or evening meal in the case of the Fakenham meeting].
i. Short Talk & Networking Meetings:
“Preparing for the General Data Protection Regulations [GDPR]”
Peter Lawrence from Human Capital Department talks through the 12 Steps to take now to prepare for the regulations, which come into force in May 2018.
At the following 4N meetings;
· 3rd Oct – Fakenham [Evening] / 6pm – 8pm
· 6th Oct – Newmarket [Breakfast] / 8am-10am
· 24th Oct – North Walsham [Breakfast] / 8am – 10am
· 22nd Nov – Ely [Breakfast] / 8am – 10am
· 23rd Nov – Dereham [Breakfast] / 8am – 10am
Please email Peter if you’d come along to any of the above networking meetings and he will get you booked in:
[email protected] or [email protected]
ii. Free Audit to ensure GDPR Data Compliance
Human Capital Department can also help by carrying out a free GDPR data audit including a report and recommended changes to ensure compliance going forward to the first ten companies that contact them.
