Notwithstanding Brexit, the new General Data Protection Regulation (GDPR) will be implemented in the UK and will bring about the greatest ever reform of our current laws on data protection as of 25 May 2018.
In the first of our series of blogs on the GDPR and preparing for change, we take a look at how your business will be obliged to comply with these upcoming changes; and with personal information playing a key role in any business, the task ahead, whilst manageable, will have to be planned for, resourced and implemented.
What kind of data are we talking about?
The GDPR, just as it does with the Data Protection Act 1998 (DPA), will cover all personal data that your business collects and processes. Employers and their HR departments will frequently deal with employees, volunteers, consultants, interns and a host of other individuals; with each comes interviews, meeting notes, record keeping and your day to day admin brings processing payroll, pensions, dealing with grievances and so on. Your business will hold and process personal data as part of your role on a daily basis.
Key changes for HR departments and employers
So, to save you reading the entirety of the GPDR (all 260 pages!), we will highlight some of the most significant changes that HR teams and employers need to be aware of, and in the rest of our mini-series we will tackle how to plan for these changes:
- Transparency and Accountability: Under the GDPR there is the introduction of a general requirement for organisations to be accountable about data processing and a greater emphasis on transparency. This will impact how an organisation requests data (ensuring the data subject is informed what data is being collected about them, for what purposes and how the data will be used), processes data and responds to the rights of data subjects. Organisations will need to keep up-to-date records to ensure they can demonstrate compliance with the GDPR and focus on being accountable and transparent about how they work with data.
- Employee rights: As data subjects, employees already have a bundle of rights; the most important from the employer/HR perspective is probably the subject access right. These rights remain, however they are enhanced under the GDPR, bringing with it greater accountability and increased administration. The other rights of employees as data subjects include (1) the right to be informed; (2) the right to be forgotten; (3) the right to data portability; and (4) the right to rectification and restriction. Such additional rights are likely to affect the current data management practices of HR teams.
- Data Breach Notification: Under the GDPR, businesses will be required to notify data breaches within 72 hours. This new time limit means that businesses must have a clear policy for data breach notification to ensure that they are able to design their notification processes to meet the GDPR obligations. The roll-out of such a policy is highly likely to involve HR teams.
- How you gather data about your employees: Currently, employers have to inform all employees of the types of information they record and for what purposes. This obligation continues but in an enhanced form, and is likely to mean changes to your data protection policies, statements in contracts of employment and contracts with other workers.
- Subject Access Requests (SARs): The major change around SARs brought in by the GDPR is that the time limit for responding to a SAR is shortened from 40 days under the Data Protection Act 1998 to one month under GDPR. The GDPR also makes it generally easier for data subjects to make SARs, and employers, under the GDPR, will no longer be able to charge the £10 fee for dealing with SARs. We will discuss SARs more in the final blog in this series since this area deserves a blog of its own.
- Appointment of a Data Protection Officer (or "DPO"): For some of you reading this today, this may soon be a requirement under the GDPR. For organisations dealing in data whose core activities (i) involve the regular and systematic monitoring of data subjects on a large scale; or (ii) the large scale processing of special categories of data (meaning the likes of health data, political opinions, religious and racial and ethnic origin data), it may/will come as a surprise that the same legal obligation will apply to your organisation.
- Record keeping: Through the increased focus on transparency and accountability, there will be much tighter standards upon the nature of data employers can retain and for how long, meaning that the retention periods for records will need to be identified and monitored and you will also need to keep better records of your decision making process. Keeping improved records will be key to demonstrating GDPR compliance.
- Privacy by design and PIAs: The GDPR advocates privacy by design – which means that employers will be obliged to adopt an approach that promotes privacy and data protection compliance from the outset of any project or process. For example, if your business outsources your pension administration requirements, what will you need to do under GDPR that you don't need to do now? HR teams will need to consider carrying out Privacy Impact Assessments at the beginning of any new process so that privacy is "baked" into the process from the beginning. So if you are thinking of changing or upgrading your payroll system or introducing a new HR management system for example; you will need to assess the privacy implications before implementation.
These are only a few of the changes and we will highlight and discuss these in more detail during this mini-series.
Why should HR teams care?
Under the GDPR, fines will be significantly increased (currently the maximum fine that can be enforced by the ICO is £500k), and will be levied on a two-tier basis:
- up to the greater of 2% annual worldwide turnover for the preceding financial year of the organisations or EUR 10 million – this is for breaches related to internal record keeping, data processor contracts, DPOs, data protection by design and default; or
- up to the greater of 4% annual worldwide turnover of preceding financial year or EUR 20 million for major breaches related to issues such as consent and data subjects' rights.
What should HR teams do?
Employers and HR professionals might be forgiven for thinking that May 2018 is a long way from now and that they can afford to postpone taking preparatory steps. The Information Commissioner's Office has already stated that there will be no leniency come 25 May 2018 – we have had two years to prepare! However, the change for employers cannot be underestimated and employers should be considering preparing now.
So, how can employers prepare?
- Review existing data protection policies and practices including employment contracts, staff handbooks and employee policies.
- Review and update current procedures for handling SARs.
- Identify staff members (e.g. future DPO) who require training on the upcoming changes and appoint someone to oversee compliance with the reforms.
- Know when PIAs should be used, who should be involved and the process to be adopted.
- Read our upcoming blogs, on the below
subjects, for more detail and advice:
- employee rights under GDPR;
- lawful processing;
- employee monitoring;
- data breach notifications; and
- Subject Access Requests.
The next in this mini-series, 'Employee rights under GDPR', will be out next week! We are running seminars on the GDPR in May and June. If you would like to know more about how your organisation can prepare for the GDPR, sign up by clicking on the most suitable date below:
Prepare your business for the GDPR – 18 May 2017 (Edinburgh)
Prepare your business for the GDPR – 25 May 2017 (Glasgow)
Prepare your business for the GDPR – 1 June 2017 (Stirling)
Prepare your business for the GDPR – 8 June 2017 (Dundee)
Disclaimer
The material contained in this article is of the nature of general comment only and does not give advice on any particular matter. Recipients should not act on the basis of the information in this e-update without taking appropriate professional advice upon their own particular circumstances.
