Are You Ready For General Data Protection Regulation?
Are You Ready For General Data Protection Regulation?
The General Data Protection Regulation, or GDPR, comes into force in only 12 months, on May 25th, 2018. These European Union rules, which have been described as the biggest ever overhaul of data legislation and which the UK government will implement despite Brexit, mean individuals will have the right to ask companies to show them more personal data gathered on them.
The legislation applies to any company that is targeting consumers in the European Union and holding or transporting data relating to them.
Substantive penalties can be imposed on employers that breach the GDPR, including fines of up to €20m or 4% of annual worldwide turnover, whichever is greater.
The severity of any fine will depend on the nature of the breach and any mitigating factors.
Mandatory appointment of data protection officer
One of the most significant aspects of the incoming regulation is that it specifies that in certain cases companies must appoint a dedicated data protection officer (‘DPO’). The DPO will have specific functions set out in the GDPR and will be distinct from a risk officer and all IT functions that currently exist within the business. Even if you do not need a DPO, companies may choose to designate someone to take proper responsibility for GDPR compliance. In either case, companies must support this person in acquiring appropriate expert knowledge so that the business stays on the right side of the law.
GDPR is an EU Regulation which means, unlike a Directive, it will be directly incorporated into the UK legal system without the need for UK implementing legislation before Brexit happens.
Elizabeth Denham, UK Information Commissioner, says GDPR encapsulates:
“a demand that the boardroom builds a culture of privacy that pervades an entire organisation. It’s about moving away from seeing the law as a box-ticking exercise, and instead working on a framework that can be used to breed a company-wide culture of privacy, so it becomes the norm for generations to come.”
Employers must be able to demonstrate compliance
As an overarching theme of the GDPR is the principle of accountability, employers will no longer need to register with the ICO but must be able to demonstrate their compliance with GDPR principles. Detailed documentation recording processing activities will need to be maintained and made available to the ICO on request.
At the moment, employers have to inform all employees of the types of information they record and for what purposes. This obligation continues but in an enhanced form.
Information will be required that details how long data will be stored for, if that data will be transferred to other countries, information on the right to make a subject access request and information on the right to have personal data deleted or amended in certain circumstances.
Employees, as data subjects, already have numerous rights but these rights are enhanced under GDPR, bringing with them greater accountability and increased administration requirements. Individuals will enjoy increased rights to object to certain processing, and the right to be forgotten, to have data rectified and to restrict how data is used.
Enhanced subject access rights
Another major change is to the subject access regime. Crucially, employers will no longer be able to charge a fee to respond to a subject access request and must respond within one month instead of 40 days. In addition, extra information will need to be supplied, including the envisaged period for which the employee’s data will be stored and their rights of erasure and rectification, and to provided with information in electronic form (unless the employee requests otherwise).
How can employers prepare for GDPR?
Employers should make sure they are ready for GDPR by reviewing existing data protection policies and practices including employment contracts, staff handbooks, employee policies and subject access request communications. Processes should also be reviewed, for example, to assess and determine how the new one-month response deadline will be met.
The Information Commissioner’s Office (ICO) is publishing practical guidance to support organisations to prepare for the change.
Many firms unprepared for tough new data protection laws
One in four UK businesses is not currently aware of these new data protection laws and nearly one in two have failed to start preparing for the enactment of the new legislation in a year’s time, according to a report from Ipsos Mori.
Despite 74% of the 92 respondents believing GDPR will have a “high” or “medium” impact on their organisation, 45% have yet to carry out such an audit.
Elizabeth Denham said:
“Together with government and European authorities, we’ve been reaching out to organisations to help them get ready for GDPR since March 2016, but we know there are organisations which have yet to engage. With one year to go, there’s still time to prepare, but there’s no time to waste.”
Contact us for advice on the new General Data Protection Regulation (GDPR)
IBB’s data protection and employment lawyers can keep your business or organisation on the right side of the GDPR obligations. If you would like advice on the new regulations or any of our other services please call 03456 381381 or email employment@ibblaw.co.uk.