On the 25th May 2018 the General Data Protection Regulations (GDPR) will replace the current Data Protection directive. Employers must adhere to these changes and be ready, otherwise they could face fines which, if imposed, could be up to 20 million Euros or 4% of company worldwide annual turnover.
Dot the i’s and cross the t’s
Employers need to know how the regulations will affect their organisation and are encouraged to put a checklist in place. Key people within businesses need to be made aware of how the law is changing; this article gives a brief summary of some of the changes that will be introduced.
Employers have a requirement to document all personal data held within the company, where it came from and with whom it’s shared.
Privacy notices must be implemented when collecting personal data, explaining the lawful basis for processing it, the period it will be retained for and details on the individual’s rights to complain.
Individuals will also have the right to be informed, the right to access, rectify and ask for erasure of personal data.
No longer will employers be able to charge individuals for Subject Access Requests and requests for information will have to be fulfilled within 1 month.
Under the GDPR individual rights will be reformed depending on the lawful basis for processing their personal data. There are 6 lawful bases and the employer needs to ensure:
- that the basis used is “necessary” and,
- that it must be targeted and proportional in achieving its purpose
Emphasis has been put on consent as individuals must have informed choice and control. The changes also extend to children, giving them special protection, and privacy policies must be clear and easy for them to understand.
Employers must also be aware of their requirements; if breaches occur they’ll be required to report this to the ICO and to the individual(s) concerned.
When does a Data Protection Officer (DPO) need to be appointed under the GDPR?
Under the GDPR, you must appoint a DPO if you:
- are a public authority (except for courts acting in their judicial capacity);
- carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
- carry out large scale processing of special categories of data or data relating to criminal convictions and offences.
You may appoint a single data protection officer to act for a group of companies or for a group of public authorities, taking into account their structure and size.
Any organisation is able to appoint a DPO. Regardless of whether the GDPR obliges you to appoint a DPO, you must ensure that your organisation has sufficient staff and skills to discharge your obligations under the GDPR.
Feel the fear and do it anyway
Although this may seem like a minefield, it cannot be ignored. It’s imperative that employers take action by understanding and preparing for the GDPR requirements and must update all their policies and procedures to reflect the changes and ensure they’re compliant before May.
Opsium will provide further advice to employers in the coming months but if you have any questions now, don’t hesitate to get in touch.