The processing of data by UK employers is currently controlled under the Data Protection Act (1998), with a series of principles in place to ensure that data is handled in a sensitive and responsible manner. As of the 25th of May 2018 this is set to change with the introduction of the General Data Protection Regulation (GDPR), this will present a single data protection law covering all EU nations. The current uncertainty regarding Brexit has led to much discussion over the implementation of EU regulations, however as negotiations are expected to take at least two years, the GDPR will apply directly to the UK until it leaves the EU.
In many instances if employers are complying with current data protection regulations the impact of the GDPR will be marginal and current practices should be able to be adapted to comply with the new legislation.
One of the big changes which will occur under the GDPR, is that the regulation makes it easier for employees to make a private claim against the employer, for distress caused by the breach of data protection. The employer will be obligated to pay compensation on this basis, even where the breach has had no financial cost to the employee. In addition, the fines payable for a breach in data protection have been increased to €20 million or 4% of the organisations worldwide annual turnover, whichever is higher. It is therefore essential to understand how the changes will impact your business and be prepared for implementing processes which will comply with the regulation.
The Information Commissioners’ Office
(ICO) have suggested the following 12 steps for preparing for the GDPR:
- Awareness: ensure that all decision makers and key people in the organisation are aware of the change to legislation and the impact this could have
- Information held: ensure all information held, where it came from and who it is shared with is documented. It may be worthwhile to have an information audit for this purpose.
- Communicating privacy information: current privacy notices and communication should be reviewed, making decisions on what needs to be changed to comply with GDPR.
- Individual rights: a review of current processes relating to individual rights should be conducted, including how personal data would be deleted.
- Subject access requests: update procedures and plan how requests will be handled ensuring it is within the specified timeframe.
- Legal basis for processing personal data: the current data stored should be reviewed to look at the types held, to identify the legal basis for processing. This information should then be documented.
- Consent: the current process for seeking, obtaining and recording consent should be reviewed, to make a decision on any changes that may need to be implemented.
- Children: it is important to start thinking about putting systems in place to verify the age of an individual and to gather parental or guardian consent for the processing activity.
- Data breaches: ensure there are procedures implemented for detecting, reporting and investigating a personal data breach.
- Data protection by design and data protection impact assessment: it is important to familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments and work out how and when to implement them in your organisation.
- Data protection officers: in many instances, you may be required to appoint a data protection officer, or someone to take responsibility for compliance with GDPR. It should then be assessed where this person will sit within the organisation’s structure.
- International: if the organisation is international it is worth considering which data protection supervisory authority you come under, however, all EU nationals who are employees will be protected under the GDPR.
If we can help you with this or any other HR issue, please do not hesitate to contact a member of our HR Team at HR Services Scotland Ltd on 0800 652 2610.
For more information about the services that we provide at HR Services Scotland, please get in touch with us here.