The EU General Data Protection Regulation (GDPR)
Update For Employers On The EU General Data Protection Regulation (GDPR)
The GDPR will come into effect on 25 May 2018 and will have a major impact on how businesses store and process data. The GDPR imposes more onerous obligations on employers, with fines for non-compliance of up to a maximum of €20 million.
The GDPR will apply directly in all EU member states with the core aim of establishing a "one-stop shop" for data protection, with a common set of rules applying across the EU. The Government has confirmed that the GDPR will be implemented in the UK as it will still be a member of the EU at that time.
The Information Commissioner’s Office has produced guidance on preparing for the GDPR which you can take a look at here. This guidance includes 12 steps employers should take now in order to prepare for the GDPR.
What is it?
The GDPR significantly restricts the use of consent as a justification for processing personal data, including employee personal data. Under the GDPR, consent must be freely given, specific, informed and unambiguous. It must also be given by a statement or clear affirmative action. The main implications of the new regulations for employers are that generic consents (for example, those contained in the body of many employment contracts) will not be a valid legal basis to justify processing employees’ personal data.
The key points are:
1. Consent to Hold Employees' Personal Data
Many employees only have a brief clause in their employment contract, giving "consent" for the employer to hold and process their personal data.
Under the GDPR, this will need to change. It will become much harder to rely on an employee's "consent" as a valid reason to hold and process data; consent will have to be informed, freely given, specific and unambiguously shown.
2. Show Data Protection Compliance
There will be increased expectations on employers' governance and record-keeping, such as carrying out data protection impact assessments when initiating a new project or system and implementing data protection policies.
3. Consider Data Protection
The GDPR requires businesses to understand and consider data protection in all new projects and technology, and be able to demonstrate that the impact on individuals has been considered and taken into account. This has particular significance in relation to the processing of sensitive personal data, e.g. sickness records
4. Permit Employees to Restrict how their Data is Used
Individuals will have much greater rights, including increased rights to object to certain processing, and the right to be forgotten, to have data corrected and to restrict how data is used.
The ‘right to be forgotten’ is a particularly hot topic and enables an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
5. Respond Quickly to Subject Access Requests
Subject access requests rights will be expanded and employers will have an obligation to comply with them without undue delay and within one month (as opposed to the current 40-day period), with a potential extension of up to two additional months.
However, if a subject access request is "manifestly unfounded or excessive", employers will be able to charge a "reasonable" fee to cover administrative costs or refuse to comply entirely.
6. Ensure Suppliers that Process Data are Compliant with GDPR
Currently, suppliers that process data, e.g. a payroll bureau, have very limited liability for data compliance. That changes under the GDPR. Data processors will be directly liable for some breaches of the rules. However, data controllers (i.e. an employer using a payroll bureau) still need to ensure compliance. Employers can also be held responsible for failing to protect and use data responsibly.
7. Removal of Requirement to Inform ICO Annually
The requirement to inform the Information Commissioner's Office (ICO) annually of a business's data processing activities and pay the fee has been removed.
Simply-Docs will be updating all documents to ensure that they are compliant with the requirements of the GDPR.
The contents of this Newsletter are for reference purposes only and do not constitute legal advice. Independent legal advice should be sought in relation to any specific legal matter.