General Data Protection Regulation (GDPR) Are you ready?

In May this year (25th May 2018) the UK’s data protection laws will be substantially overhauled when the GDPR comes into force. Please note the Government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR. Although the key principles of data privacy under the old Data Protection Act (DPA) (1998) will still apply, there are a number of considerable changes in the way that organisations and individuals use data as the world is now much more data-driven and protection for privacy has never been more important in an increasingly digital economy and society. These regulations will replace the existing Data Protection Act.

The key points are:

  • They apply to all companies who legitimately process employee data residing in the EU and also companies located outside of EU if they offer goods or services within the EU. The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This is far wider than the DPA’s definition and could include chronologically ordered sets of manual records containing personal data. It also covers sensitive personal data known as “special categories of personal data”. This also covers client data, so this is far more wide ranging than solely HR data.
  • Employees will be able to request to see their personal data (Subject Access Request) free of charge and a copy needs to be provided within 1 month and in an electronic format. This is a draconian shift in regards to data transparency and empowerment of data subjects.
  • Employees consent must be freely given, informed, specific and explicit, and must be given by a statement or clear consent and must be separate from other terms and conditions. e.g. cannot use tick boxes, cannot use consent inferred from silence, cannot rely on their consent if data protection policies are stated in existing Employee Handbooks or Contracts of Employment.
  • Employees will have the “right to be forgotten” also known as “data erasure” and the data controller will need to erase their personal data. However the company would compare the subjects rights to those that are within “the public interest in the availability of the data” when considering such requests.  Most importantly, if an Employee refuses to permit the Employer permission to hold their personal data, this would theoretically mean that the IT, HR or payroll systems cannot function in relation to the Employee and they could not remain employed by the Company!
  • The regulations still apply to “Data Controllers” or Data Protection Officer – who controls how and why personal data is processed in the company and “data processors” who actually undertake the processing of employee’s information.
  • Employers will need to have robust data protection security arrangements in place. Please be aware that misplacing documents, files and electronic devices remains one of the key causes of security breaches in the workplace. According to the Government’s “2015 Information Security Breaches Survey” (available at http://pwc.to/1SWbv57), 90% of large organisations and 74% of SMEs reported a security breach, leading to an estimated total of £1.4 billion in regulatory fines.
  • Implementing a “Clean Desk Policy” may be difficult to apply, but useful approach which would require employees to clear their desks when they are away from them and at the end of each working day, eliminating the risk of documents, files and even sticky notes containing sensitive information going astray. However, getting everyone to apply such an approach could be a challenge.
  • Any breaches of data protection must be notified to the Information Commissioner’s Office (ICO) within 72 hours of discovery.
  • Non-compliant organisations may face heavy fines, from the ICO, which can be 4% of annual global turnover or €20 million whichever is the greater. Note — this far exceeds the current maximum of £500,000.

This is a significant/challenging piece of legislation.  all clients should now be aware of the substantial ramifications of this legislation, and should be well underway in their planning for these Regulations coming into effect in May 2018.

Further information can be found on the ICO’s website at https://ico.org.uk/for-organisations/data-protection-bill

Peter Corrighan – HR Manager