The EU General Data Protection Regulation (GDPR) came into force in the UK on 25 May 2018 and it brought considerable changes to data protection law in the UK and across the European Economic Area (EEA) more widely. It includes significantly greater fines for breaches of up to €20 million or 4% of the total worldwide annual group turnover. Failure to comply with the GDPR also carries risk in the context of adverse publicity as it can lead to reputational damage and lost customer trust, civil liability or punitive damages for employment related breaches and business continuity issues. In addition, directors and senior managers can face criminal charges resulting in imprisonment and substantial penalties if found guilty of breaching the GDPR.
Your company should actively prepare for these requirements to ensure that you are compliant. This involves teaching/training staff on new obligations, reviewing policies and contracts as well as ensuring awareness of the transparency requirements. The GDPR is applicable if data processing takes place. This includes processing of employee personal data as well as personal data relating to all other living individuals.
And if you were wondering… the government has confirmed that Brexit will not prevent the GDPR from taking effect in the UK.
We have identified some of the biggest changes to the current law. We have kept these brief but there are many more you will need to familiarise yourself with.
What to do now
1. Check if your company is caught by the GDPR
The GDPR applies to your company if:
- You have a physical presence in the EU; or
- You are not EU based but you process data that relates to individuals in the EU in the context of offering goods or services or by monitoring behaviour.
Check if your responsibilities have changed under the GDPR:
- If you are a controller, you decide the manner and reason for processing personal data. Under the GDPR you are required to ensure that contracts with your processor are GDPR compliant;
- If you are a processor, you will act on behalf of the controller. Under the GDPR you must now document your activities of processing personal data.
2. Understand the changes introduced by the GDPR
2.1 Lawful processing and consent
- It is necessary to identify and record the lawful basis for processing. If processing is carried out with consent from the individual, the consent must have been given clearly, unambiguously and with an action to opt-in.
- Document all consents.
- It is difficult for consent to be freely given by an employee because of the imbalance of power between employer and employee. This means that consent alone is unlikely to be a valid basis for processing HR data, so employers should consider other grounds for lawful processing, such as being in the legitimate interests of the business.
- For employers, transparency in processing data is achieved by keeping the employee or prospective employee informed before data is collected and where any subsequent changes are made.
2.2 Accountability and demonstration
- A key change relates to the obligation to demonstrate compliance with GDPR. The requirement to register with the Information Commissioner’s Office has been discarded. Instead you have to keep full records of any data processed, including the type of data and the purpose it is used for.
- Data controllers must only process personal data which is necessary for each specific purpose. For employers, this means collecting enough data to achieve their purpose but not more than needed.
- You also need to give much more detailed notices to people you collect information from.
- Internal compliance programs, further data protection policies and staff training are all steps to take. Carrying out regular tests on the implementation and retaining the results can be used as evidence of continuous compliance.
2.3 Obligation to inform data subjects of the data you have collected
The previous data protection regime required organisations to inform individuals when personal data had been collected. The GDPR imposes requirements to supply further details to individuals. Policies on this should therefore be reviewed and updated.
2.4 Access to information
The GDPR removes the right to charge £10 for accessing personal data and companies are now required to supply the data within one month of receiving a request.
If appropriate, it is recommended that self-service access systems are put in place.
Next step: Are you comfortable dealing with subject access requests? Do you know what you have to disclose and what you can withhold?
2.5 Inaccurate data and erasure
Individuals can under GDPR require companies to correct inaccurate information. This includes a requirement on the company to communicate the rectification to third parties who have received the inaccurate data.
Subject to limited situations, GDPR provides a right to have personal data erased and removes the previous requirement of distress and damage as a result of the processing. Third parties must also be made aware of any erasure.
Data portability enables data subjects to transfer their personal data in a commonly-used electronic format from one data controller to another, enabling people to switch between service providers more easily.
A request must be responded to within one month and information must be provided free of charge.
Next step: Do you have a system in place to deal with this request?
2.7 Notifying breaches
GDPR imposes an obligation to notify a data breach to the authority if the breach is capable of affecting the rights and freedoms of the individual. Each breach should be assessed to ascertain if a notification is appropriate. The individual should also be notified if the breach is of a high-risk nature.
Next step: You should ensure you have the right procedures in place to detect, report and investigate a personal data breach. You should also check that agreements with your suppliers require them to tell you immediately if there has been a breach.
2.8 Data Protection Officers
Public companies and companies carrying out extensive data processing must appoint a Data Protection Officer who will supervise and monitor compliance. He/she will also be the main point of contact for the authority and individuals.
Other companies may appoint a Data Protection Officer and should in any event be satisfied that they have resources to comply with GDPR obligations.
You should consider whether you need to appoint a DPO.
3. Implement GDPR
- Consider the geographical location/s of your business
- Know and understand the data held within your business (specifically where it came from and who it is shared with)
- Carry out an audit of data protection policies and practices, including existing employment contracts, staff handbooks and employee policies, and update where necessary
- Make sure there is transparency over the nature of HR data processing relating to the data used, the purposes for which it is used and where it is processed.
- Where you have relied on consent to justify processing of HR data, consider an alternative and ensure this is recorded.
- Review privacy procedures and ensure that all rights granted to individuals under GDPR are accounted for
- Ensure consents from individuals are recorded/documented and that they have been given in a compliant manner
- Incorporate policies for privacy policies for children and consents by parents/guardians
- Implement appropriate privacy notices
- Review procedure for accessing information
- Review agreements with suppliers
- Establish a data breach policy and create a breach reporting mechanism
- Train staff on obligations
- Possibly appoint a Data Protection Officer.
The material contained in this article is provided for general purposes only and does not constitute legal or other professional advice. Appropriate legal advice should be sought for specific circumstances and before action is taken.
© Miller Rosenfalck LLP, December 2018