Employers will start to hear more about the GDPR (General Data Protection Regulations) from now onwards and I received my first query from a client about it recently so I think this is something for all employers to at least have some knowledge about at this stage.
The Government has confirmed that GDPR will apply in the UK from May 25, 2018, so it is important that businesses and employers are aware and prepare for the changes. If you are currently subject to the DPA (Data Protection Act), it is likely that you will also be subject to the GDPR too. I know it’s a year away from now but, as always, the best thing to do is not ignore it and plan accordingly.
What is the GDPR?
Currently, the UK relies on the Data Protection Act 1998, but this will be superseded by the new legislation. It introduces tougher fines for non-compliance and breaches, and gives people more say over what companies can do with their data. It also makes data protection rules more or less identical throughout the EU.
So, although it’s a European Regulation, our impending EU exit will NOT exempt organisations from GDPR compliance. Sorry!
Who does the GDPR apply to?
‘Controllers’ and ‘processors’ of data need to abide by the GDPR’s obligations. A data controller states how and why personal data is processed, while a processor is the party doing the actual processing of the data. So, the controller and processor could be any organisation, including obviously, employers.
It’s the controller’s responsibility to ensure their processor abides by data protection law and processors must themselves abide by rules to maintain records of their processing activities. If processors are involved in a data breach, they are far more liable under GDPR than they were under the Data Protection Act.
The ICO (Information Commissioner’s Office) is the best resource to refer to as they will be helping all organisations get ready to comply, they have even set up a micro-site for this purpose – see here.
The ICO’s 12 steps guide that businesses can start taking now to prepare for the GDPR is a useful starting point, especially those small-to medium-sized firms who may be intimidated by the (over 200-page) GDPR – it helps puts theory into practice and could hint at the ICO’s enforcement focus going forward.
What are the initial steps that all organisations should take to prepare for the GDPR?
1. Create Awareness
Ensure there is awareness amongst key stakeholders in your organisation that the GDPR represents a major overhaul of data protection law in Europe and identify the areas of the GDPR that have the biggest impact on them.
Conduct an audit to establish what personal data you currently process. Find out where the data is stored and who has access. Erase any unnecessary or outdated data.
As part of the audit, establish the purpose for which you process the data and the legal basis that you are relying on for processing.
Review all data protection policies and codes of conduct to ensure they comply with the new principles. If these do not exist they should be created as soon as possible.
Review existing supplier arrangements and template contracts to ensure that, in particular, the new direct obligations on data processors are covered.
Review and update existing information notices as the GDPR specifies information that must be provided to individuals about their personal data.
Review insurance arrangements and assess whether your organisation needs data protection coverage.
Consider what grounds for lawful processing do you currently rely on: consent? Performance of a contract? Legitimate interests? Note that public authorities can no longer rely on the ground of “legitimate interests” when processing data.
If you rely on consent, consider how you currently obtain consent. Under GDPR it must be unambiguous, active, and relate specifically to the purposes of the processing. You will no longer be able to rely on pre-ticked boxes or bundled consent.
Consider whether there is a requirement to appoint a DPO.
Train all members of staff on the new rules and ensure that any person likely to receive requests from individuals relating to personal data knows how to deal and respond.
Ensure that the relevant people know who to report to in the event of a breach. Review and update internal breach procedures and prepare incident response plans.
Keep paper trails of all data processing activity, including decisions relating to data processing, to demonstrate compliance. Ensure that privacy impact assessments are carried out when required and keep all relevant documentation.
This may be the first time you have even heard of the GDPR, but it won’t be the last and if you do nothing else, it would be worth a visit to the ICO website using the links above to at least start thinking about it.