What is the GDPR?
The GDPR is a new law that will govern how organisations control and process data. The GDPR is EU legislation. However, irrespective of the Brexit negotiations the government has confirmed that it will implement the GDPR.
Whilst there is much crossover with the Data Protection Act 1998 (DPA), the GDPR will make changes to existing rights for data subjects and introduces some new rights to protect employees against the misuse of their data.
The new and amended duties include: the right to erasure or to be forgotten; strengthened rights for individuals to restrict and/or object to the processing of their personal data and a significant increase in the maximum fines (e.g. up to 2% of annual worldwide turnover of the preceding financial year or 10 million euros (whichever is the greater)) for data processing breaches.
Five key steps
There will be numerous steps that organisations will need to take to comply with these new duties but below are five key first steps HR professionals should consider taking:
- The first step should be to undertake an information audit. The purpose of this audit is to establish and document what personal data the organisation holds, where it came from and who it is shared with. Using the results of the information audit, HR professionals should then be able to identify what will need to change to comply with the revised regime.
- The GDPR reinforces the position that consent must be freely given, specific, informed, and capable of withdrawal at any time. It also reinforces the position that because of the imbalance of power in the employer/employee relationship, in most circumstances consent by employees is unlikely to be “freely given”. Employers should therefore review any over reliance on consent as a valid basis for processing employee data and instead consider other grounds for processing employee data, for example performance of a contract with the employee or the processing being necessary for the purposes of the employer’s legitimate interests.
- The GDPR will require organisations to include more detailed information within privacy notices than is currently required by the DPA. This information will need to be provided in clear and easy to understand language and include: the length of time that it will be held for; the source of the data (unless it originates from the data subject); who will receive personal data; the period for which data will be stored; the existence of data subject rights, such as subject access, rectification and erasure; and the right to object to processing. HR professionals should therefore review any privacy notices given to employees (and job applicants) to consider what additional information will need to be included.
- One of the new rights (as mentioned above) is that individuals will be able to request that organisations delete their personal data in certain circumstances, for example, the data is no longer necessary for the purpose for which it was collected or the data subject withdraws their consent). HR professionals will therefore need to consider how they will give effect to this right, as deletion of personal data is not always straightforward.
- Under the GDPR, organisations must process requests without undue delay and reply within one month. This can be extended by two months where the complexity of the request justifies it. HR professionals should consider implementing/updating procedures to establish how requests will be handled within the new timescales and provide any additional information.
The GDPR will soon be with us and it is important that organisations have plans in place to manage the transition to the new data management and processing rules. The five key steps identified above provide a starting point for HR professionals in this process to ensure that their core areas of responsibility will be compliant with these new duties from day one.
All content on this page is correct as of July 7, 2017.