The new EU data protection regime, under the General Data Protection Regulation (GDPR), came into force on 24 May 2016 and will apply in all Member States from 25 May 2018. In the UK it will replace the Data Protection Act 1998 (DPA).
The GDPR is built on the same fundamental principles as the DPA but there are distinct changes that organisations need to prepare for.
In this current state of uncertainty it is understandable that many organisations have delayed making preparations to comply with the GDPR. However UK data controllers will have to comply with the GDPR for a short period of time at the very least for the following reasons:
- The government has now confirmed that the UK will implement the GDPR as we will still be members of the EU in 2018. If Article 50 is indeed invoked in March 2017 then the likely exit date will be March 2019 meaning that UK data controllers will have been subject to the GDPR for nearly a year.
- If and when we do leave the EU, as the UK will want to ensure that UK businesses can continue to process EU data, a simple method of doing so would be to subscribe to the terms of the GDPR.
Employers should, therefore, start their preparations now. The regulations are particularly pertinent for employers given the amount of personal data and in particular sensitive personal data processed in relation to their employees.
- Enforcement - The maximum penalty for failure to comply has significantly increased from a £500,000 fine to the greater of 4% of an organisation’s annual worldwide turnover or €20 million.
- Consent - Employers will no longer be able to rely on implied consent when processing personal data. Consent will need to be given by clear affirmative action. Consent is presumed not to be freely given if there is a clear imbalance between the parties, particularly between an employer and employee. Therefore employment contracts cannot be made conditional upon consent to processing or use of data.
- DSAR – Employers must reply within one month from the date of receipt of a request rather than the current 40 days. The £10 fee is also being abolished unless a request is ‘manifestly unfounded or excessive’. Finally there is an emphasis on transparency which requires employers responding to a DSAR to explain how they approached it.
- Expanded territorial scope: Non EU data controllers and processors will have to comply if they offer goods or services to data subjects in the EU or monitor data subjects’ behaviour within the EU.
- Breach - Employers must notify the regulator of all data breaches without delay and where feasible within 72 hours, unless it is unlikely to result in risk to individuals. If data breach involves a high risk to individuals businesses must inform subjects without undue delay.
What should Employers be doing now?
- Consider how you will tackle the issue of obtaining consent. Simply including a standard provision in an employment contract to obtain consent to process personal data is likely to be ineffective under the GDPR. Employers should consider a separate declaration or justifications where this is not possible.
- Reassess compliance strategies and follow ICO recommendations such as creating awareness among senior decision makers in the business, auditing and documenting the personal data held and recording where it came from and who it is shared with and reviewing the legal basis for the data processes you carry out.
- Review existing compliance programmes and ensure you have the policies to demonstrate compliance with the GDPR.
- Develop and implement a data breach response plan and consider how to effect the right to erase personal data.
- Employers who process large volumes of data should consider how they will respond to DSARs within the new time frame.
Posted on 07/11/2016 in Legal UpdatesBack to Knowledge