Black keyboard

How to prepare for General Data Protection Regulation (“GDPR”)

Although Britain will be leaving the EU, Baroness Neville-Rolfe (the Minister for Data Protection) has stated that if Britain wants to continue sharing data with Europe and handling EU citizen’s data, we will need to have adequate levels of protection in place. Therefore, businesses should consider how to react to the new GDPR which will be effective from 25 May 2018. So, what do businesses need to start thinking about?

Policies

Businesses should consider updating their Data Protection Policy and Privacy Policy in line with the GDPR which should include the length of time that data will be stored for, how the data might be transferred overseas, the more onerous subject access request provisions and the right to erasure (discussed in more detail below). If you do not have a Data Protection Policy, you should give some serious consideration into preparing a comprehensive policy as the GDPR requires data protection policies in order to demonstrate compliance.

Subject access requests

Businesses should take note that if an individual makes a subject access request under the GDPR, they will no longer have 40 calendar days to collect the information and they will have one month instead. The (current) administrative fee for subject access requests will also be abolished which may cause an influx in requests for subject access requests. An employer in certain circumstances may be able to request a “reasonable fee” where the subject access request is excessive.

The right to “erasure”

Although the right to ask for inaccurate information to be amended is already part of the current law, GDPR specifies this as the right to “erasure”. Therefore, an individual can make a request for any information, which is
inaccurate or no longer necessary for its purpose, to be deleted. Due to the new label (and risk of media attention on this area), employers may be bombarded with requests to have certain records deleted from overly
enthusiastic employees/former employees.

Obtaining consent for processing data

At present you must provide employees and job applicants’ with information about how their data is processed and information about how the processing is fair under the existing legislation. However, these new regulations have become tighter.

  1. From May 2018, the legal basis for processing personal data will need to be clearly stated and recorded.
  2. Businesses often wish to rely on consent as the basis for fair processing but the GDPR makes it much harder to rely on consent in an employer/employee relationship or in any relationship where there is a marked imbalance in power between data controller and data subject. The regulations state that “consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data’s subject’s agreement…” Employees will also hold the power to withdraw their consent, following which the data will no longer be processed.
  3. Accordingly, draft guidance produced by the Information Commissioner’s Office suggests it will no longer be effective for the employee’s consent to processing personal data to be provided within their employment contract. The Regulation further states that “consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to withdraw consent without detriment”. This may cause difficulties for an employer if, for example, an employee is subject to disciplinary action, they might withdraw their consent for the employer to continue processing their data. Accordingly, the recommendation is that instead of relying on consent, the employer ensures that employment contracts and employment handbooks rely on another legal ground to continue processing the individual’s personal data. The obvious ground would be that the use of the data is essential for the proper working of the employment contract, though there may be other relevant grounds applicable. Therefore, it is important that an employer understands the fundamental legal principles behind processing personal data so that they are prepared for every eventuality.

Appointment of Data Protection Officers

Certain businesses (such as public authorities or organisations whose activities involve regular and systematic monitoring of data on a large scale) will need to appoint a data protection officer and disclose details of this
person within their policies.

Non compliance

If a business breaches the GDPR, there could be significant financial penalties with fines of up to 4% of annual worldwide turnover or €20 million (the greater of the two).

What do you need to do now?

Although the GDPR is not fully enforceable until 25 May 2018, employers need to start thinking about how to implement the GDPR into their working practices. Some organisations (public sector bodies and those whose business activities require significant quantities of personal data to be processed) may have to recruit a specific data protection officer. All businesses should be looking at how they process and use personal data to make sure their procedures are fit for purpose.

If you would like further assistance on understanding the impact of the GDPR or you would like to amend any of your policies in readiness for the GDPR, then please do not hesitate to contact us.