The UK is shortly to undergo the biggest change to its Data Protection laws in over twenty years. General Data Protection Regulation, or GDPR, is due to come into force on 25th May 2018, and will replace the current Data Protection Act 1998.
What are the key facts?
- The General Data Protection Regulation (GDPR) is replacing the Data Protection Act 1998 from 25th May 2018.
- GDPR will harmonise data protection laws across the EU, and will update the current regulations to take full account of globalisation, and the ever-changing technology landscape.
- The Regulation will apply to any company processing the personal data of individuals in the EU in relation to offering goods and services, or else to monitor their behaviour.
- Significant penalties can be imposed on employers who breach the GDPR, including fines of up to €20 million or 4% of the businesses annual turnover, whichever is greater.
- The level of fine will depend upon the type of breach and any mitigating factors, but they are designed to strongly penalise any employers who show a disregard for the GDPR.
How could it differ to the current Data Protection laws?
Under the Data Protection Act 1998, employers are required to provide employees and job applicants with a privacy notice, setting out certain information. Under the terms of the GDPR, employers might now need to provide more detailed information, such as:
- How long personal data will be stored for
- If data will potentially be transferred to different countries
- Information on the right to make a subject access request
- Information on the right to have personal data deleted or rectified in specific circumstances
The GDPR may also impose a mandatory breach reporting requirement, requiring employers to notify and provide key information to the data protection authority within 72 hours of any breach.
Will Brexit affect GDPR’s introduction?
The GDPR will continue to apply to UK businesses for now, regardless of Brexit. It should be remembered that the UK will continue to remain a part of the EU until at least 2019, regardless of the beginning of Brexit negotiations. The GDPR took effect prior to the triggering of Article 50, meaning we must still comply until at least the time we officially leave the EU.
Even on leaving the EU, businesses directing products and services at EU citizens may still have a legal requirement to comply with the GDPR.
Who else should be aware of GDPR in your business?
- Data Controllers – They must provide more detailed information to data subjects as to how and why their data may be processed, and comply with stricter protocols.
- Data Processors – They may be required to be responsible for certain regulatory liabilities for the first time.
- ‘Data Protection Officer’ – If your organisation plans to process sensitive personal data on a large scale, you should be prepared to appoint a Data Protection Officer to oversee this process.
- CEO / Key business Stakeholders – It is vital that your business’s decision makers are of aware of the GDPR from the outset, and able to work with you to build a solid strategic plan that addresses its challenges. ‘Buy in’ from major internal stakeholders is key to your business’s future success.
What can you do now to prepare for GDPR?
- Read and absorb as much as possible on the subject. You and your team may need to fully understand how the terms of the Regulation will affect policies and procedures for recruitment, the course of employment, and when contracts are terminated.
- Review and update all your existing data protection policies. It has never been more important to ensure that any changes or updates are clearly communicated to your employees. Equal opportunities policies may also need to be updated to explain any changes to the way in which sensitive data is stored and retained.
- Health-check all your current business relationships with service providers, data processors and contractors. Do you need to make any changes to the way you do business?
- Amend any documentation that alludes to data processing, as employees may now have rights to expect greater transparency in relation to this. Work with other key stakeholders to ensure that all personal data is processed properly.
- Check that you have suitable systems in place to notify the regulator (and, potentially any affected data subjects) if a data breach should occur. Inform all staff on the correct procedure and response if this is to occur. Developing a data breach response programme is vital to ensuring the correct protocols are observed.
- Check in with your IT team – you need to ensure that your IT system allows you to delete data in a comprehensive way, as data subjects may have a new ‘right to be forgotten.’
- Employees may have an enhanced right over any use of their data in a professional environment. Employers may need to take steps to ensure that employees have expressly consented to the use of their data – with this in mind, you should consider using a separate form for this, rather than including it as a clause in an employment contract.
- Review all your current privacy notices, and update them to ensure they comply with the more detailed information requirements. All information included must be easy for employees and job applicants to understand.
- Review any arrangements you may have involving personal data being held outside the UK.