Brexit makes no difference…
“Have I got your attention? I hope so because what I am about to talk about will affect every Employer from 25th May 2018″, says Chris Wilkinson from Expert HR Solutions.
Quite simply the Data Protection Act (DPA) will be replaced by the European Union’s General Data Protection Regulation (GDPR) as it will apply to organisation’s operating within the EU AND to those outside of the EU that offer goods and services to individuals within the EU. As with the DPA the GDPA will have Controllers who say how and why personal data is processed, and Processors who act on the controller’s behalf.
While the principles are similar to those in the DPA, there are some additional requirements that UK companies need to be aware of. The most significant is accountability. The GDPR requires you to demonstrate compliance by design. This means ensuring you have adequate systems, contractual provisions, documented decisions about processing, and training in place.
As with the DPA, the GDPR will apply to ‘personal data’ held about employees, however, the GDPR’s definition is broader. Any data that can be used to identify an individual is considered to be personal data. It can include things such as genetic, mental, cultural, economic or social information, and IP addresses.
Sensitive personal data known as ‘special categories of personal data’ is broadly similar to the DPA but there are some minor changes that will need to be addressed. It will include genetic data and biometric data where processed to uniquely identify an individual.
The issue of ‘consent’, where it validates the use of personal data, is also a significant development. Organisations need to ensure they are explicit when seeking consent and detail how they will use the information. Given that you are required to have a Contract of Employment for all Employees of a Contract for Services for sub-contractors and both of these documents contain sensitive personal data it would be wise to include a clause making it clear that the organisation will hold this data for the purposes of employing or sub-contracting the individual.
Here’s our list of actions to consider:
- Do you need to appoint a data protection officer? Under the GDPR, some companies will be required to have one, including public authorities processing personal information; organisations whose ‘core activities’ require ‘regular and systematic monitoring of data subjects on a large scale’; or where there is large-scale processing of special categories of data.
- Do you protect privacy by design? This emphasises the importance of measures such as privacy impact assessments (PIAs). As data controllers, PIAs will assess where privacy breach risks exist and how to minimise them.
- Have you adequate systems in place to manage data breaches that may arise and to comply with the notification requirements? The GDPR requires your local data protection authority to be notified of a breach within 72 hours of discovery.
- Will you be able to comply with the right to be forgotten if the data subject requests it?
- Will you be able to ensure compliance with the more restrictive principles of not holding data longer than absolutely necessary, and not changing how you use such data from the original purpose(s) specified?
So why is all this so important? Well, the penalties that can be imposed will increase substantially. Depending on the nature of the breach, fines can be around £15,000 or 4 per cent of the total annual global turnover, based on the preceding financial year, whichever is the greater.
So if you are concerned about the implications of the GDPR from an Employment perspective why not give us a call on 01202 611033 and we will be happy to help.