Author: Cicely Slatter
It’s 1 May, which means that with regard to the GDPR coming into force the clock is really ticking. This new regime will apply from 25 May 2018. As such, all organisations should be reviewing their approaches to data protection and implementing new measures, as and where required.
What is the “GDPR”?
The “GDPR” is the abbreviation of the General Data Protection Regulation. This is European legislation which will have legal effect in the UK even after Brexit).
The GDPR represents a new approach towards data protection. In particular, we will see more robust legal protection towards individuals’ personal data. This tightening up of the law can be seen through some of the below changes under the GDPR.
- Data protection by “design and default” – data processors will need to implement technical and organisational measures to show that they have considered and integrated data protection law into their processing activities.
- A formal acknowledgement of “accountability” – data processors are formally recognised in the new legislation as being responsible for implementing the GDPR. Accordingly, data processors (e.g. payroll administrators and outsourced IT providers) will need to document and demonstrate that their processing activities are compliant.
- Consent under the GDPR must be “freely given, specific, informed and unambiguous”. In an employment context, employers are now advised to avoid relying on consent due to the unequal relationship between employer and employee. Employers are therefore encouraged to consider what other lawful reason for processing data can be relied upon such as for the necessary performance of a contract.
- Tighter rules on what constitutes valid consent to the processing of sensitive, personal data.
- Easier access to personal data, including shorter timeframes for compliance with Subject Access Requests.
- The right for individuals to request correction or deletion of their personal data (in certain circumstances).
- More stringent breach -reporting procedures (including breaches being reported within 72 hours of awareness)
- More stringent sanctions for non-compliance, including possible fines up to €20 million.
Are employers affected?
Yes. Employers collate and store large amounts of personal data and are therefore required to comply with data protection law. This means that employers need to be taking steps towards compliance under the new regime.
How can we help employers?
Aimed at helping employers and HR teams, we have put together two products to help your organisations prepare for the GDPR. These consist of a basic and an enhanced GDPR package. Following completing our GDPR questionnaire, both the basic and enhanced packages will provide an organisation with the following:
- Q& A Guide to provide a general background into the GDPR;
- Privacy notice – this sets out what data you hold on staff and how you use it (and is a required document under the GDPR);
- Consent form – to enable your organisation to obtain valid consent for processing of sensitive, personal data.
- Contract review – to check if your contracts are compliant under the GDPR.
- Data protection policy – which should help your organisation achieve GDPR compliance.
The enhanced package will also including providing your organisation with:
- In-house training; and
- A review of other relevant policies.
We are also working alongside other professionals to ensure that a number of our client’s data protection needs are being met. If you are interested in the above, please do give us a call on 0203 008 5718 to discuss.