The countdown to the replacement of the current Data Protection Act with the General Data Protection Regulation (“GDPR”) is now in full swing and the GDPR will become law with effect from 25 May 2018.
Early indications are that there is a lack of awareness, particularly within the SME community, of the sea change in not just structure but also attitudes that will be required to become GDPR compliant. At the very least, by now Company’s should have made the preparations for GDPR a Board level agenda item and identified a project team or project leader to evaluate the process and administrative changes that are necessary to become GDPR compliant. The responsible individuals should then create a timetable leading up to 25 May 2018 with checklists and milestones identified and agreed.
Although it is not mandatory to have in place a Data Protection Officer (“DPO”) unless you are a public authority or a Company involved in the large scale monitoring of individuals, it is certainly good practice. In short the role of the DPO is:
· to act as advisor to the organisation about its obligation to comply with the requirements of the GDPR and to provide information to its employees;
· to monitor and manage internal data processing activities to ensure compliance with the GDPR, train employees, conduct internal audits and provide guidance on impact assessments associated with data processing;
· Be the point of contact for the Information Commissioners Office (“ICO”), which is the supervising authority for the UK.
A note of caution, compliance with the GDPR is not the responsibility of any one individual but requires top down support and the awareness and engagement of Department heads, managers and individuals as to their roles and responsibilities.
Set out below are two examples of how the GDPR will change the existing law.
1. SUBJECT ACCESS REQUESTS UNDER THE GDPR
The data subject access right in the GDPR makes some changes to the rules on responding to a data subject access request.
Data subjects will continue to have the right under the GDPR to access personal data concerning them and to obtain information about it, including the purposes for which it is being processed, the categories of personal data concerned and any recipients of the data. Under the GDPR, the employer will have to inform the data subjects:
· of any recipients of the data in countries outside the European Economic Area and the safeguards applied on a third country transfer of data;
· the envisaged retention period for the data, or the criteria used to determine that period; and
· the data subject’s rights to request rectification or erasure of the data, to request the restriction of processing and to object to processing.
Employers, and other data controllers, will have to respond to a data subject access request ‘without undue delay’ and within one month at the latest. This can be extended by two further months where necessary, taking into account the complexity and number of requests. Under the current rules, data controllers have 40 days to respond to a request.
Data controllers will no longer be able to charge a fee for providing information in response to a data subject access request, unless the request is ‘manifestly unfounded or excessive,’ in particular because it is repetitive.
If an employer receives a request that is manifestly unfounded or excessive, it will be able to charge a reasonable fee taking into account the administrative costs of responding to the request. Alternatively, it will be able to refuse to act on the request.
Where the data subject makes a request by electronic means, the information will need to be provided by electronic means where possible, unless the data subject requests otherwise.
2. RECRUITMENT DATA UNDER THE GDPR
The GDPR amongst other things, contains provisions relating to the collection of personal data about job applicants during a recruitment process.
The new rules will apply to data obtained from the applicant or from a third party such as a recruitment agency.
Prospective employers will need to provide applicants with an information notice. This notice will need to contain certain information, including the purposes for which the data will be processed, the legal basis for processing and the period for which the data will be retained.
Employers will be able to provide the information notice on their website, and send a link or copy of the notice in correspondence to individual applicants. Where the employer advertises a post on a website owned by a third-party, it should ensure that the details of the vacancy include a link to the information notice.
Employers should retain only the minimum data required and only keep it until the relevant limitation periods for bringing potential tribunal claims have expired.
Employers who intend to keep the details of unsuccessful candidates on file for future recruitment rounds must obtain the candidates’ consent to this. Employers who keep unsolicited CVs on file for future recruitment rounds, will need to inform candidates of this in the information notice.
Job applicants will have the right not to be subject to a decision based solely on automated processing. Employers will only be able to use automated decision making if it is:
· necessary for entering or performing a contract;
· authorised by law; or
· with the applicant’s explicit consent.
Employers who use automated decision making will need to advise applicants of this in the information notice. They will also have to provide safeguards for applicants by allowing them to contest the automated decision and by giving them the right to an alternative means of making the decision using human intervention.
Employers who use recruitment agencies should satisfy themselves that the agency will implement appropriate technical and organisational measures to ensure the protection of the rights of the data subjects.
For further information and support with your GDPR compliance preparations contact FG Solicitors on 01604 871143 where a member of the team will be happy to assist.