In terms of legal opinion on which others may place reliance it is often advisable to do away with the needle of innuendo and pick up the club of statement. In line with that adopted position, you are invited to consider the implications of the impending arrival of the General Data Protection Regulations (“GDPR”).
As the regulations have their origins in EU law, an immediate question is will they survive Brexit? The short answer is that even if the regulations do not survive intact post Brexit, the Government has confirmed that the UK will implement the GDPR when it comes into effect on 25 May 2018 because the UK will still be a member of the EU at that time.
The GDPR heralds the biggest shake up in privacy laws in 20 years and will have a seismic impact on the human resource data processing undertaken by employers and employment related entities.
There will be some fundamental changes to the current law and it is suggested that organisations need to be aware of those changes and should be actively developing a strategy for compliance ahead of the changes coming into effect in May 2018. This is especially because the cost for GDPR non-compliance has risen dramatically when compared to non-compliance with current data protection legislation, as the new fines will be based on a percentage of total annual turnover of a business in the previous financial year. It will become easier for individuals to claim compensation and group actions will be more likely.
THE KEY CHANGES…
As a minimum, the key changes for staff engagement purposes include:
Consent: No longer will it be sufficient to include in Contracts of Employment a blanket clause stating an employee is deemed to give consent to the lawful processing of their data. Instead, organisations will be obliged to demonstrate that consent has been explicitly given for each processing purpose of the data in question. Furthermore, the organisation will need to demonstrate the consent was freely given (potentially difficult in the master/servant relationship which is employment) and that the consent is “informed.” Also, the organisation will need to implement a mechanism for the withdrawal of such consent at any time.
Subject Access Requests: The information to which data subjects will be entitled under the GDPR is more extensive. The time for providing that information is reduced from 40 days to one month and there will be no longer be a right for organisations to charge a fee to provide this data.
Right to Erasure: Also known as “the right to be forgotten,” this is a new right where individuals can request that their personal data is permanently deleted in certain circumstances. This will cause organisations particular difficulties where personal files are held both centrally and locally (for example, by a line manager).
Right to Restriction: There are instances when organisations are obliged to restrict processing; this includes employee challenges to the accuracy of personal data. This could result in certain management processes being stalled.
Breach Notifications: Unless the breach is unlikely to result in a risk to the individuals concerned, organisations’ data processers will be obliged to notify the ICO of all data breaches without undue delay and, where feasible, within 72 hours of the breach.
DO WE NEED TO DO ANYTHING YET??
Organisations could be forgiven for thinking that, as the GDPR implementation date (25 May 2018) is still the best part of 12 months away, and with Brexit looming, the matter can be left for now. But compliance with this legislation will require a good deal of planning and remapping of existing processes. The immediate steps for any organisation include:
- A comprehensive audit of existing systems and processes;
- Deciding whether additional personnel should be recruited to take on specific roles and responsibilities;
- Designing systems that will assist with GDPR compliance (including breach notification compliance);
- Identifying appropriate training for staff – for example, general awareness training for staff with more specific training for those with greater compliance responsibilities (including the IT Department and HR managers); and
- Reviewing and upgrading current Contracts of Employment and policies to manage risk.
We can undertake your audit and assist you with preparation for GDPR implementation. For a non-obligation consultation, please call a member of our team on 01604 871143 or email us on firstname.lastname@example.org