Posted: 11th September 2017
I’ve been looking at GDPR from an employment perspective for a number of my clients. I hope you will find the following information useful:
What is the General Data Protection Regulation (GDPR)?
It is a new piece of legislation which is due to come into effect on 25th May 2018. It aims to provide consistent data protection legislation across Europe regarding the collection, storage and security of personal data. GDPR applies to data processing carried out by organisations within the EU and organisations outside the EU that offer goods or services to individuals in the EU. The UK has announced that it will pass a new Data Protection Bill to bring the EU’s GDPR legislation into UK law.
Is GDPR relevant for small businesses?
If an organisation routinely processes personal data, then GDPR is likely to apply. The Information Commissioner’s Office (ICO) has stated that any business which is affected by the Data Protection Act (DPA) will also be affected by the GDPR. Organisations of any size should maintain control over the way they process data and be able to demonstrate that they are keeping that data secure and protected. The ICO has published a useful GDPR checklist:Preparing for the General Data Protection Regulation (GDPR) 12 Steps to Take Now, which gives a good overview of all the key areas it will cover.
What are the key differences between GDPR and UK Data Protection law?
1. Accountability
The most significant addition to GDPR is the ‘accountability’ principle. The GDPR requires organisations to show how they comply with its principles. For employers, there will be increased obligations to provide information to employees and job applicants about how their personal data is processed. This will require employers to know where personal data is stored, how and why it will be used and how it will be kept safe and secure.
2. Personal Data
The rules on gaining individual consent to collect, process or store personal data will be tightened: consent will need to be freely given, specific, informed, unambiguous, properly documented and easily withdrawn. Blanket consent clauses such as those found on contracts of employment will no longer be sufficient. However, organisations can still rely on other relevant lawful bases, legitimate interests or contractual necessity for dealing with personal data. Individuals will also have a new ‘right to be forgotten’ by the organisation, if they either withdraw their consent to the use of their personal data or if keeping the data is no longer required.
GDPR’s definition of ‘personal data’ (also known as personally identified information or PII) reflects changes in technology eg. personal identifiers such as IP addresses and other electronic tags will now come under the definition. If genetic or biometric data is processed to uniquely identify an individual, it will be classed as ‘sensitive personal data’.
3. Timeframes
The timeframe for processing a ‘subject access request’ (ie a written request from an individual to an organisation for the personal data that is held on them) will be shortened and must be carried out without delay and within one month (compared to 40 days under DPA). Organisations will no longer be able to apply an administrative charge, unless requests are shown to be unfounded or excessive.
The timeframes for reporting any data security breaches will be shortened. Wherever possible, breaches will need to be reported immediately to data protection authorities such as the ICO. Ideally, breaches should be reported to the ICO within 24 hours, but definitely within 72 hours.
4. Penalties
Fines for non-compliance will be increased. The maximum fine will be 4% of global annual turnover or €20 million (£17 million) whichever is greater. However, this will only be for the most serious breaches and the ICO has stated that large fines will not be the norm.
What can small businesses do to prepare for GDPR?
If organisations already comply with DPA, they will fulfil many of their obligations under GDPR. Based on ICO guidance, the most practical approach will be to carry out a thorough data risk assessment. Follow these steps to help you prepare for GDPR:
According to the ICO, GDPR should not be a significant burden to organisations that take their data responsibilities seriously. If you know what, why and how, you collect, process and store personal data and treat data as an asset to be carefully managed, you are less likely to encounter problems.