Recent research suggested almost half of companies were concerned that they won’t meet the requirements of the new General Data Protection Regulation (GDPR). With less than six months to go until the rules come into force, Jo Stubbs, Head of Content at XpertHR, offers guidance on ten things employers need to know to ensure they are compliant.
On 25 May 2018 the General Data Protection Regulation comes into force and will change the way organisations manage personal data. The GDPR will introduce changes to the way that data is processed across the EU. It will mean employers need to rethink how personal data is collected, used and kept.
Employers are likely to have to find an alternative to consent to process personal data and the regulators will be able to impose significantly higher fines than under existing provisions - up to €20 million or 4 per cent of an organisation's annual worldwide turnover, whichever is greater.
Research by Veritas Technologies suggests almost half (47 per cent) of companies are concerned they won’t meet the requirements of the legislation and 86 per cent are concerned that the GDPR could have a major negative impact on their business if they fail to comply.
It’s important for employers to take a realistic, risk-based approach to compliance and with the deadline looming they should focus on the most important and riskiest areas first. Here are ten things employers need to know about GDPR:
GDPR affects small employers too - The GDPR will apply to organisations of all sizes, but not all organisations will be treated the same. Those that are not processing large amounts of data and are not involved in high risk processing won’t be expected to commit as many resources to GDPR compliance.
Employees have the right of access to data - The Data Protection Act 1998 already gives employees the right to make a subject access request in relation to their personal data, but under the GDPR these rights will be extended.
Organisations need good reason to process personal data - The GDPR specifies the conditions under which it is ok to process data and organisations need to be sure that at least one applies. While having “consent” is one, the employer/employee relationship means it could be tricky to prove that consent has been freely given, so it is advisable to have at least one other.
The GDPR will impact on the recruitment process - The GDPR will bring new protections for potential employees and, with it, new responsibilities for recruiters. For example, employers will need to formalise the reasons why data is processed and the period for which it will be retained, and provide this information to applicants.
Individuals have the right to be forgotten - The GDPR sets down the rights of individuals to ask that their personal data be erased.
Criminal records checks - Under the GDPR, employers would be allowed to carry out criminal records checks on prospective employees only if this is specifically authorised by law, for example where a Disclosure and Barring Service check is required for a role involving work with vulnerable adults or children. However, this is an area where the GDPR allows governments to set their own rules to some extent – and, under the proposed new UK data protection law, employers will be able to carry out criminal records checks in more circumstances, so this is an area to watch for developments.
Organisations may need to appoint a data protection officer – Where an organisation is a public body, its core activities involve large-scale data processing requiring regular monitoring of individuals, or it carries out large-scale processing of sensitive personal data or data relating to criminal convictions, it will need to appoint a data protection officer.
Data transfer outside the EEA will be controlled - If an organisation transfers personal data outside the European Economic Area (EEA), it will need to ensure that adequate protection is provided.
Organisations will need to provide an “information notice” - A key requirement of the GDPR is that employees are informed about the processing of personal data and this must be formalised in an information notice (aka a “privacy” or “fair processing” notice). The information provided needs to be significantly more detailed than that provided under the Data Protection Act 1998.
Non-compliance could be very, very costly - Compliance with the GDPR is not something to be taken lightly, with fines as high as €20 million or 4 per cent of the organisation’s global turnover – whichever is greater – for breaches.
The 2017 Veritas GDPR report calls the EU regulation “some of the most stringent data privacy regulations the world has ever seen”. With the deadline just around the corner employers can’t afford to wait any longer to prepare.
GDPR Summit Series is a global series of GDPR events which will help businesses to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.
Further information and conference details are available at http://www.gdprsummit.london/