Providing HR & employment law support
Is Your Business Ready for the New Data Protection Law?
The General Data Protection Regulation 2016 (GDPR) will replace the Data Protection Act 1998 (DPA) on 25th May 2018. It will have a far reaching global impact on how businesses deal with data security and it will strengthen and unify data protection for individuals.
The government have confirmed that the UK’s decision to leave the EU will not affect the date that the GDPR will be implemented in the UK. It is also unlikely that it will be removed once the UK leaves the EU due to its global impact and on the basis that businesses in the EU are unlikely to undertake business with those who do not comply with it.
The GDPR allows for significantly higher maximum penalties than the DPA. In some circumstances a breach of the GDPR can lead to a maximum fine of Euros £20 million or 4% of an undertaking’s worldwide annual turnover, whichever is the higher.
It is essential that businesses act now as it will affect many parts of your business where you process data such as HR records, customer lists and contact details; all of which will need to comply with the new rules.
What are the New Rules to look out for?
There are many changes that will be introduced by the GDPR.
Below is a summary of the salient ones:
The greatest change that will be introduced by the GDPR is onerous accountability obligations on businesses to demonstrate compliance. Rigorous audit trails and documentation will be required and data protection impact assessments will need to be carried out for certain processing. Data should be accurate and only be retained and processed where necessary. Data breaches will need to be reported to the data controller (DPA) (and in certain circumstances, the individual) without undue delay.
Data Protection Officers
In certain circumstances Data Protection Officers will need to be appointed to be responsible for data processing. This is to further enhance the accountability of businesses.
An individual’s consent to processing of their personal data must be as easy to withdraw as it is to give. Consent must be “explicit” for sensitive personal data. The data controller is required to demonstrate that consent was specific, informed and freely given: a pre-ticked consent box will not be sufficient. We recommend that consent is dealt with separately to the employment contract so as to minimise arguments that consent was not given freely.
As consent can be easily withdrawn it is best not to rely on this as your primary means for processing data. The GDPR allows data to be processed in order to comply with a legal obligation (i.e. for calculating tax due to HMRC) or complying with a term in a contract. It is best to find such a legitimate interest to rely upon rather than consent which can be withdrawn. Companies will need to identify what these legitimate interests are.
There must be greater transparency when obtaining personal data and more comprehensive information must be given to the individual about how such things as the legal basis for processing; the right of complain; how the data is to be stored; and how consent can be withdrawn.
Data Subject Access Requests
These will remain as before, so that an individual can ask for data that is incorrect to be rectified. However, the GDPR goes further so that there will be a right to:
• restrict certain data,
• object to data being used for direct marketing purposes, and
• receive data in a format so that it is portable to send elsewhere.
There will also be the right to erase certain data. This could be very problematic for HR teams where historical data may no longer be available if claims are brought against the business. Also, the data controller will have to respond to a request for data within a month and the fee of £10 will no longer apply except in very limited circumstances.
Whilst GDPR will affect many aspects of the business it is likely that the responsibility of Data Protection will fall under the remit of your HR function as they will already be familiar with many of the concepts. GDPR will also affect HR functions heavily due to the large amount of processing of data that takes place in this area. HR need to start thinking now about the changes that need to be made in the business in order to accommodate the new rules.
We set out below eight action points that HR advisers (or others responsible for data protection) should be looking at now in order to ensure a successful transition.
THE EIGHT ACTION POINTS HR NEED TO TAKE NOW
1. Raise Awareness
Make sure the key people in your business understand the new law and assess its impact on the business and provide training where necessary.
2. Data Protection Officer
Designate a Data Protection Officer to take responsibility for data protection compliance if necessary and agree their responsibilities in the business. Produce a job description and organisational chart to introduce this new role which should oversee all areas of the business.
3. Audit Trails
Document the personal data that you hold, where it came from and who you share it with and complete an audit trail.
Review and update your current Data Protection policies and procedures to ensure that they comply with the new rules, including how you will delete personal data.
5. Data Breaches
Ensure that you have the right procedures in place to detect, report and investigate a personal data breach and introduce a policy regarding data breaches.
6. Subject Access Requests
Update your procedures and plan how to handle requests under the new regime.
Produce separate data protection agreements for employees to sign providing full transparency and remove consent in relation to data protection from employment contracts and service agreements. Ensure that where consent is obtained it can be shown to be freely given in your processes.
8. Privacy Impact Assessments
Consider the Privacy Impact Assessments produced by the ICO to work out when to implement them into your business.
*Adapted from ico.org.uk
We are available for advice and guidance on the new laws, so please do get in touch if you have any questions.
Should you also require a more bespoke policy, or a review of your staff handbook and/or contracts of employment we would happy to provide you with an estimate of costs. Please do not hesitate to contact us.
Practice Director, Solicitor
T +44 (0)1252 821792
This article is published for information only based on the law currently in force or as it is currently anticipated. It does not constitute or contain legal advice and should not be considered as a legal opinion or as a substitute for legal advice.