You may have heard the acronym GDPR being mentioned in “IT circles”; but the implementation of the General Data Protection Regulation will have a major impact on employers when it comes into force on the 25th May 2018.
So what is GDPR?
Despite Brexit; the GDPR will align data protection laws across the EU and will update the current data protection practices and methodology by taking into consideration globalisation and technology advancements that have made the world a much smaller place.
Who will it apply to?
Not only will it apply to EU companies – large and small, spanning all sectors – but to any company processing the personal data of individuals in the EU in relation to offering goods or services, or to monitoring their behaviour.
What happens if you don’t abide by the GDPR?
Significant penalties can be imposed on employers that breach the GDPR, including fines of up to €20 million or 4% of annual worldwide turnover, whichever is greater.
What are the main changes in the GDPR that an employer needs to be aware of?
1. Privacy Notices – employers are currently required to provide employees and job applicants with a privacy notice setting out certain information. Under the GDPR, employers will need to provide more detailed information, such as:
- how long data will be stored for;
- if data will be transferred to other countries;
- information on the right to make a subject access request; and
- information on the right to have personal data deleted or rectified in certain instances.
2. Restrictions on the consent of processing information – Currently, many employers process personal data on the basis of employee consent. There are further requirements and restrictions introduced for obtaining consent under the GDPR and employees must be able to withdraw their consent at any time.
3. New mandatory data protection breach notification requirement – Where there has been a data breach – such as an accidental or unlawful loss, or disclosure of personal data – the employer will have to notify and provide certain information to the data protection authority within 72 hours. Where the breach poses a high risk to the rights and freedoms of the individuals, those individuals will also have to be notified.
4. Appointment of Data Protection Officers – All public authorities and those private companies involved in regular monitoring or large-scale processing of sensitive data will need to appoint a data protection officer to:
- advise on GDPR obligations;
- monitor compliance; and
- liaise with the data protection authority.
So what can HR Departments do to prepare for these changes?
Working closely with legal, IT, finance and compliance teams; there are a number of steps you can take now to get better prepared for the forthcoming changes:
- Carry out a data audit on the data you currently collect, process and store and the processes you go through to do this identifying any gaps highlighted by the GDPR.
- Review your current privacy notices and update them to comply with the more detailed information requirements making sure that it is easy for employees and job applicants to understand.
- Assess the methods used for processing personal data. Where consent is currently relied on, check whether or not it meets GDPR requirements and remember that consent may be revoked at any time.
- Develop a Data Breach Response process to ensure prompt notification. Within the process allocate responsibility to certain people to investigate and contain a breach, and making a report. Ensure you train employees to recognise and address data breaches, and put appropriate policies and procedures in place.
- Determine whether or not a Data Protection Officer should be appointed and, if so, think about how best to recruit, train and resource one.
For more information on the GDPR visit the ICO (Information Commissioner’s Office) Website at https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/