Are you prepared for the General Data Protection Regulation (GDPR)?
Ted Flanagan, 5th January, 2018
The GDPR is an EU regulation that will be introduced across the EU on 25th May 2018. The government has confirmed that Brexit will not affect its introduction so it will apply to the UK.
Employers who hold data on employees (as well as holding it on customers, prospective clients for marketing purposes, other third parties etc.) are already subject to the Data Protection Act 1998 and will be subject to the new Regulation.
Currently, an employer is entitled to process data on employees if the employee has consented or the process is necessary for the performance of a contract or other legal obligation.
The main changes
Having an employment contract setting out that the employee consents to the processing will no longer be enough as the employee needs to give free and informed consent. Therefore employers will need to provide a lot more detail to the employees about the data that is held or shared about them, the purpose of this and their right to withdraw consent.
In addition, the data can only be processed in certain circumstances so an employer will have to show that obtaining and processing the data is necessary for the purposes of their legitimate interests. Data must be up to date, accurate and only held for a specific purpose and retained only for as long as is necessary.
Employees will have new rights to have information transferred to a future employer and rights to object to profiling or certain processing of data.
Subject access requests will no longer be subject to a fee and copies of the data rather than a summary will have to be provided. The time to respond will be a month rather than 40 days although the response can be electronic.
Many businesses will require an appointed Data Protection Officer. Certainly all public authorities will and businesses will if their core activities require regular and systematic monitoring of data subjects on a large scale. The Data Protection Officer will be responsible for managing security and business continuity issues. It does not need to be an employee – it can be a third party consultant.
Penalties for breach of Data Protection rules will increase from £500,000 to the greater of €20m /4% of worldwide turnover
What this means for you
The detail is yet to be worked out fully and we will update you about this further in March 2018.
However, all data kept on employees (and for how long) is now going to have to be justified and employees are going to need to be informed of their rights in respect of that data.
We do recommend businesses assign an employee or consultant to take charge of this so that the information provided to employees, the data held and the data processed or shared is already compliant with the Regulation.