NEW requirements on companies and organisations which have a responsibility for safeguarding sensitive personal data are looming ever-closer. Ahead of the General Data Protection Regulation coming into force on May 25 2018, here at Milners we have developed this handy guide that sets out what steps you should be taking now to ensure you are compliant.
The General Data Protection Regulation (GDPR) – what does it mean for you?
GDPR will come into force on May 25 2018. Whilst this new legislation has similarities with the Data Protection Act 1998 (DPA), there are some new requirements placed on companies and organisations who are responsible for data protection.
Whilst the principles contained in the DPA remain in force, the GDPR adds to these principles and, perhaps most importantly, creates a new accountability requirement.
If a company is found to be non-compliant with the requirements of the GDPR then the associated penalties are much more severe than under the DPA.
Organisations can now be fined up to 20 million Euros or 4% of their annual turnover (whichever is greater); this is more onerous than when compared to the previous penalty of £500,000.
This article is designed to give you an oversight on what the GDPR will mean and what companies should be looking at doing at this time, including:
- Lawful processing
- Individual rights
- Accountability and breach
- Transfer of data
- Next steps
In order to process personal data and sensitive personal data, it must be lawful and transparent under the requirements of the GDPR. Personal data is now more clearly defined however, in practice (if you currently keep records ie customer lists, contact details, employee data), little will change as the scope of DPA falls into the scope of the GDPR. Sensitive personal data covers special categories of personal data for example, genetic data.
All organisations must identify a lawful basis before you can process personal data and this decision should be documented. A company’s decision regarding lawful processing has an effect on individual rights. Examples of lawful processing include (but are not limited to):
- Consent of the individual
- It is necessary for the performance of a contract with the individual (or to take steps to enter into a contract)
- It is necessary for compliance of a legal obligation
- It is necessary to protect the vital interests of the individual or another person/party
Consent under the Regulations must be given freely and has to be a positive action, so organisations cannot rely upon an individual being silent, inactive or a pre-ticked box to show that “consent” is given freely. Further, it has been stipulated that consent regarding GDPR processing must be easily withdrawn. As an employer you must ensure and give particular care to ensure consent is given by your employees in order to lawfully process their data.
Rights already provided under the DPA are to be enhanced under the GDPR and some further rights are created. The following rights are provided:-
- The right to be informed – this includes an obligation to ensure fair processing information is passed on and available meaning that a privacy notice is required.
- The right of access – this includes the right to obtain confirmation that personal data is being processed, access to their personal data and other information (as contained in a privacy notice). The fee of providing information under a subject access request is no longer payable although if a request is unfounded or excessive a reasonable fee could be payable. Finally, information must now be provided within one month of receipt of the request
- The right to rectification – if personal data is inaccurate or incomplete
- The right to erasure – an individual has the right to request the removal of personal data where there is no reason for its continued processing. This includes where an individual withdraws consent.
- The right to restrict processing – personal data may still be stored but you would not be entitled to further process it. For example, an individual contests the accuracy of the data.
- The right to data portability – to allow individuals to obtain and reuse their personal data for their own purposes across different services. This means that data has to be provided free of charge and is stored in formats that are readable by other organisations. Again, time limits to comply are within one month (although extensions could be sought in certain circumstances).
- The right to object – this includes direct marketing and processing for purposes of research/statistics. This right must be in your privacy notice and also individuals should be informed of this at first communication with them.
- Rights in relation to automated decision making and profiling – in order to prevent a potentially damaging decision being made without human intervention.
Accountability and breach of personal data
The GDPR is focused on transparency and looks to promote accountability. Therefore, organisations need to ensure that they are aware of their responsibilities and what measures they have taken to comply with the Regulations, for example; staff training, review of their HR policies, keeping relevant records and updating their privacy notice. If needed, a Data Protection Officer (DPO) should be appointed who is responsible for ensuring that organisations are compliant and will be a main point of contact for individuals who have their data processed along with the supervisory authorities.
If your business has over 250 employees then you must maintain internal records of processing activities, including records that deal with data connected to risk of rights and freedoms of the individual. There are also special categories of data including criminal convictions and offences.
A breach is more than simply a loss of personal data and means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of or access to personal data. A breach which is likely to result in a risk to the rights and freedoms of an individual should be reported within 72 hours to the relevant supervisory authority. Organisations should therefore put in place an internal procedure for reporting and investigations to ensure that they comply with this requirement.
If, as an organisation, you deal with personal data then you need to be looking at the following:-
- What information you hold now – you will need to ensure that your records are up to date, including how you came about the information and where you have shared it especially if this is outside of the European Economic Area.
- Review your current procedures to ensure they cover all rights provided to individuals by the GDPR and ensure these are communicated to all individuals
- Review your procedures for subject access requests to ensure these are up to date, noting that the timescales are now one month
- Identify a lawful basis for processing activity and ensure that this is documented and your privacy notice explains the position
- Ensure that you review how you obtain consent and how this is managed to ensure that it meets the requirements set by the GDPR. If your organisation deals with children then further thought needs to be given regarding consent and the protection afforded to children’s personal data
- Consider whether the organisation is required to have a Data Protection Officer or whether it would be beneficial as they can be appointed to deal with and review any breaches or potential breach
- If you are active in recruitment then you need to ensure that data processed is compliant with the regulations including ensuring consent is provided including should you wish to obtain a criminal records check (especially if a role is not specifically authorised by law).
Should you have any questions or concerns regarding GDPR then please do not hesitate to contact a member of the Employment Law team here at Milners on 0113 245 0852, or email us at firstname.lastname@example.org