GDPR
09 Jan 2018
We live in an inter-connected world which is getting more and more complex by the day.
The pace with which the internet and digital revolution is changing our lives shows no signs of slacking – and the issues it throws up become seemingly more challenging.
Take data collection as an example.
Businesses are already familiar with their responsibilities under the Data Protection Act 1998. It is something we have all become used to – and adapted to – over the years.
But from May 2018 those duties will be tightened up under the General Data Protection Regulation – the biggest shake-up in this area for two decades.
The GDPR heralds a significant shift in the culture of how organisations handle data and comes with stiff penalties for falling foul of the law.
It’s vital that employers and HR professionals take steps now – if they haven’t already – to ensure they are prepared for the new provision.
Employers will need to review how they collect, hold and process personal data, as well as how they communicate with individuals about that activity.
Recruitment processes, performance management and bonus allocation, disciplinary and grievance procedures and policies and any auto-processing or use of employee data for marketing purposes will need to reflect the new legislation.
The regulation emanates from the European Union (EU) and aims to expand, modernise and harmonise data protection laws across the union and usher in the concept of data protection by design and default.
It applies not only to organisations inside the EU but also to those outside who are providing goods or services, or monitoring browsing behaviour, within Member States. It applies directly to all EU states, including the UK, from 25 May 2018 and comes into effect with a hard landing.
That means there is no transition period and no excuse for non-compliance from day one.
The UK government has committed to implementing the GDPR irrespective of Brexit and has a new Data Protection Bill currently progressing through Parliament. So, there is no get-out clause here.
The most significant change as far as employers are concerned is the increased sanctions. Breaches of the GDPR may be subject to fines of up to €20M, or 4% of global annual turnover, whichever is the greater.
Meanwhile staying compliant is likely to lead to additional costs and administration.
The conditions for obtaining valid consent for processing personal data will also become much stricter. Blanket wording in an employment contract – which arguably doesn’t meet current data protection requirements – will most definitely not meet the GDPR rules.
There are also greater transparency obligations. Organisations must provide more information on what data they hold and how they use it – both for those inside the organisation and those outside it.
Running parallel with this is a new emphasis on accountability. And this is no simple box-ticking exercise.
Organisations must be able to demonstrate their compliance to regulators – in the UK’s case, the Information Commissioner’s Office (ICO) – on an ongoing basis and to maintain records.
Because the GDPR requires data protection and privacy by design and default, organisations need to build appropriate privacy requirements into their day-to-day operations and notify the ICO, and any individuals affected, if certain types of data breach occur.
In short, the GDPR’s data protection principles state that organisations must be able to demonstrate that any personal data they handle is:
- processed lawfully, fairly and transparently
- collected for specified, explicit and legitimate purposes
- adequate, relevant and limited to what is necessary
- accurate and kept up to date where necessary
- kept for no longer than is necessary where data subjects are identifiable
- processed securely and protected against accidental loss, destruction or damage.
- The definition of data processing will be similar to the existing one, although the definitions of personal and sensitive data have been expanded.
So, what can you do to make sure you stay the right side of the new law? Here’s a handy checklist to get things started:
- Organisations should carry out an audit to identify any data protection risk areas and take the first steps towards creating a culture of data protection by design and default. Teams should identify:
- what personal and sensitive personal data is obtained from employees
- how and where that data is stored, accessed and used, and the legal basis for collecting, storing and processing it
- what data is shared with third parties
- what kind of monitoring of employees takes place and where
- They should prepare an action plan that specifies what needs to be done when (bearing in mind the compliance deadline), who will do what and any internal and external support required.
- They also need to:
- consider what documentation must be prepared or updated
- review policies and processes and decide which to change (different policies may be needed for employees and managers)
- reinforce the changes through training (and keep attendance records)
- think about what needs to be shown to whom to demonstrate compliance.
- Both the GDPR and the EU-US Privacy Shield (which regulates transatlantic data transfers) are likely to be affected by Brexit, depending on whether the UK remains a member of the European Economic Area or not.
- If the UK remains in the EEA post-Brexit, the GDPR and Privacy Shield will remain as they are. If it leaves, the UK’s options may be limited as it will need to meet the requirements of the EU (whatever they may be) to process EU data. The UK government has already taken steps to address this under the Data Protection Bill. Primarily there is a need to avoid a mismatch of data protection rights becoming a barrier to trade.
