EMPLOYER ALERT! The law is changing…is your business GDPR compliant?
The General Data Protection Regulation (GDPR) comes into force on 25 May 2018. It is complex legislation to which every employer must not only comply but also show how that compliance is achieved.
Employers need to be aware of the new regulations coming into force on 25 May 2018. Whilst employers are used to the current regime in respect of processing data fairly, the new regulations have more substance and more bite with added detail and greater accountability. The GDPR requires not only compliance but there is now also a requirement to show how compliance is achieved. Employers must be prepared to justify their organisation’s ‘processing’ of data – is it for legitimate interests, whether that be for the performance of a contract or for compliance with a legal obligation? ‘Processing’ extends to the obtaining, recording, holding, storage, deletion and transfer of all employee data.
A comprehensive audit of all data that is processed across the entire business will have to be undertaken and questions asked.
The starting point has to be what employee data is being processed and why? A comprehensive audit of all data that is processed across the entire business will have to be undertaken and questions asked. Having assessed what is being processed and why, the next consideration is for how long is the information kept and why? Is the length of time objectively justifiable and necessary? How is it stored? Is it transferred and what happens to that information when it is no longer required? Under the new regulations, employees have the right to be provided with answers to these questions. This will have to be dealt with in policies informing individuals exactly what information about them is being processed, of their right to access that information, to correct it, restrict it, transfer it or indeed to have it removed.
A blanket consent clause within an employment contract is no longer sufficient.
Employers will be familiar with the need for employee consent to data processing. Until now this could be dealt with by way of a clause contained within an employment contract but not any more. Under the GDPR, the requirement for consent has changed and a blanket consent clause will not suffice. At the very least, it should be dealt with by way of a separate schedule to an employment contract. In addition, consent must be as easy to withdraw as to give, so employers will have to ensure they have in place a simple mechanism for withdrawal.
Employers must notify the regulator of any data breach
At present, there are no requirements to report data breaches to the regulator but from May, an employer who is aware of a personal data breach must notify the regulator – without undue delay and, where practical, within 72 hours. Again, policies will be needed so individuals know what represents a breach and what their obligations are in these circumstances. Training will be required across the workforce. In particular, the processors and controllers need to be made aware of their increased accountability.
The penalties for non compliance are staggering
To focus the minds of employers on data protection principles, the penalties for non-compliance will increase. The current limit of £500,000 is increasing to a staggering 20, 000 000 EUR or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. With 4 months to go before implementation, employers must ensure they are doing everything they can to be ready for May; auditing data processing, checking compliance with the consent requirement and amending and drafting new policies and training.
For further information and a FREE ‘over the phone’ assessment of what is required for your business, call Henry Doswell of Doswell Law on 01233 722942 or email us at info@doswell-law.com
Disclaimer: Whilst every reasonable effort is made to make the information and commentary contained in this blog accurate and up to date, Henry Doswell takes no responsibility for its accuracy and correctness, or for any consequences of relying on it. The information and commentary in this blog does not constitute legal advice to any person on a specific case or matter. You are strongly advised to obtain specific, personal advice from a lawyer about your case or matter.