The new General Data Protection Regulation (GDPR) comes into effect on 25th May 2018, replacing the current Data Protection Act (DPA). Assuming you are currently fully compliant with the DPA you will have strong foundations to build upon to ensure that you are GDPR ready.
Essentially, the GDPR gives individuals greater rights regarding their personal data and how it is processed, ensuring that specific consent has been requested and granted.
For employers, it is vital to be GDPR-ready by 25th May 2018, as non-compliance can result in fines of up to €20 million or 4% of global turnover.
Why the need for change?
The Data Protection Act 1998 (DPA) aimed to enable employees to agree or disagree, without repercussions, with how their personal data was handled, via data protection consent clauses in their employment contracts. But in reality, clauses were vague or buried deep in long employment contracts, and employees were choosing not to voice their concerns, feeling the pressure of an imbalance in power. One of the aims of the GDPR is to resolve this.
What does the GDPR call for?
The GDPR introduces two main requirements when it comes to matters of consent:
– Consent must be freely given, specific, informed and unambiguous.
– Consent may be withdrawn by the individual at any time, and it must be easy to do so.
The GDPR also sets out much more stringent requirements for obtaining consent from employees to process their data, meaning employers may need to expand upon the generic consent clauses in their employment contracts to ensure they are open and honest about What, Why and How data will be used. It will force employers to be actively aware of their justifications and legal grounds for processing employee data, in the event that consent is required but not given, and ensure that irrelevant data is no-longer retained but safely destroyed.
What steps should I take to prepare?
Ensuring you are GDPR-ready may seem like an overwhelming task, so today we are sharing a few steps you should take right now to be ready for the changes:
1. Carry out a full assessment of your current employee data and how you handle and process it. Identify if there are any activities that fail to comply with the GDPR.
2. Under the GDPR, generic employee consent clauses are no longer appropriate. Create consent declarations that are not linked to the employee’s acceptance of employment or standard contract. These should be precisely tailored to the individual and the situation to which it relates.
3. The GDPR gives the individual the right to revoke consent at any time; apart from legally required data i.e. passport or right to work documents. In these cases, if you feel the personal information has a legitimate place within your business you need to be aware of alternative justifications or legal grounds for processing that employee personal data. Assess the options you have. This step is important as one potential downside of the new ‘right to revoke’ is that employees may use them as a tactic for stalling disciplinary or redundancy processes. In the (hopefully) unlikely event that this may happen, it will be advantageous to have a ‘back up’ plan in place.
4. The GDPR calls for more stringent and detailed requirements for handling and processing personal data. Review and update your current privacy notices accordingly, ensuring they are clear, concise and easy for employees and job applicants to understand.
5. Develop policies and procedures for what to do in the event of a data breach. Assign individuals to contain the breach where needed, as well as to investigate and report it. It is also vital to train your staff on how to recognise a breach and deal with it promptly and appropriately.
6. Public authorities (except for courts acting in their judicial capacity) and private companies whose core activities involve large scale, regular and systematic monitoring of individuals and/or your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences are required to appoint a data protection officer. Assess whether this applies to your organisation, and if so, investigate the best approach for recruiting and training a data protection officer.
The Information Commissioner’s Office (ICO) have put together an informative guide to help businesses meet their obligations under the Act.
It is essential to educate yourself on the requirements of the GDPR, and to figure out what procedures, if any, you need to adopt or update, to comply.
Don’t forget if your company works with third-party suppliers who handle and/or process data on your behalf they must also be compliant and should be advising you of any necessary adjustments they have made to protect the data they handle on your behalf. If they have not already done so request a copy of their data protection policies to ensure they are fit for purpose; therefore, ensuring failures or breaches do not come back on your business.
If you would like any advice or help on how to ensure your organisation is compliant with the GDPR, or how to find out more about the new regulations, contact us on 01582 883299 or email su@suallen.co.uk.