Act Now! If you’re not GDPR compliant by 25th May 2018, you could be fined up to €20 Million Euros or 4% of annual company turnover, whichever is the greater.
Welcome to this HR Blast from Jaluch. Did that headline grab your attention? If you don’t know by now that the GDPR will replace the current Data Protection legislation this year, you’ll be in for a shock in May. However, it seems that if you didn’t know, you aren’t alone. The Daily Echo* recently reported that an Ipsos MORI survey suggests only 38 per cent of businesses know about the new legislation!
While February may have only just started, the next few months are sure to fly by, and it’s going to take some time to become GDPR ready – so don’t hesitate, don’t wait; make a start today!
So, what are the important things you need to know about GDPR?
- One of its aims is to harmonise data protection processing across the EU.
- It’ll give employees greater rights as data subjects.
- There will be very significant penalties for breaching the GDPR, which include the fines set out above.
- Unlike the rules under the current Data Protection Act, the burden of proof will be reversed so that from 25th May the responsibility will be on you as the employer to provide good reasons for the retention of personal data a.k.a. evidence it’s still needed, and relevant.
- ‘Pseudonymization’ needs to be added to your dictionary – assuming you’re not ahead of the game and already there!
- You need to be issuing privacy notices to job applicants.
Interested? Here are some important aspects to think about. This is not exhaustive, but a starter for ten…
- Identification of an individual will not only be by name, but “an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”. This is intended to be a very broad definition and will include IP addresses and cookie strings.
- Sensitive personal data is broader and includes data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic and biometric data, data concerning health or data concerning a person’s sex life, sexual orientation or criminal offences.
Rights to obtain and hold personal data on new applicants
- The six data protection principles in the DPA remain, but when processing personal data, you must also satisfy one processing condition, and if it’s sensitive personal data at least one sensitive data processing condition.
- The processing conditions are; consent of the data subject; that it’s necessary for the performance of a contract/to take steps in preparation for the contract; it’s necessary to comply with a legal obligation; it’s necessary for the performance of a task carried out in the public interest or in the exercise of an official authority; it’s necessary for the purposes of legitimate interests
- The right to be informed, which encompasses the obligation on employers to provide transparency as to how personal data will be used.
- The right of access, similar to those rights under the DPA and encompassing the ever-popular subject access request.
- The right to rectification of data that is inaccurate or incomplete (again similar to the DPA).
- The right to ‘be forgotten’ (data deleted) under certain circumstances.
- The right to block or suppress processing of personal data (similar to the DPA).
- The new right to data portability which allows employees to obtain and reuse their personal data for their own purposes across different services under certain circumstances.
- Stricter requirements for obtaining consent to process data and employees must be able to withdraw their consent at any time, as easily as they have given it.
- Unlikely to be able to rely on ‘consent’ (on the basis that the power relationship means that consent will never be given in a true way), or even if consent is given it’s unlikely to be deemed as valid, so you will need to rely on your legitimate business interests to process the data.
Personal data you can’t ask for
- As now, you’ll only be able to ask for and hold data that’s ‘adequate, relevant and limited to what is necessary’. The data you do have should be for specific, explicit and legitimate purposes. Be careful of holding any data that could be deemed discriminatory.
- A new concept in European data protection law – “pseudonymization” – for a process rendering data neither anonymous nor directly identifying. It’s the separation of data from direct identifiers so that linkage to an identity is not possible without additional information that’s held separately. Although it’s not exempt from the Regulation altogether, several requirements are relaxed for data controllers that use the technique.
Storage and security obligations of employee personal data
- As before, you have an obligation to ensure that appropriate technical and organisations measures are taken to prevent unauthorised or unlawful processing, loss, damage or destruction.
- The current DPA suggests the employers should provide employee and applicants with a privacy notice, but under the GDPS you should provide more detailed information, including how long their data will be stored for, if the data will be transferred to other countries, information on the right to make a subject access request and information on the right to have personal data deleted or rectified in some circumstances.
- New mandatory breach reporting requirement e.g. if there’s an accidental loss or disclosure, the employer will have to report the breach within 72 hours. Where the breach poses a high risk to the individuals, those individuals will also have to be notified.
- Subject Access Requests – you will no longer be able to make a standard £10 charge for complying with any request. You will have a month to comply rather than the current 40 days. You can refuse or charge for requests that are manifestly unfounded or excessive and if you refuse a request then you must tell the individual within 1 month why and that they can complain to the ICO (Information Commissioner).
- New accountability principle which requires businesses to demonstrate that they comply with the data protection principles and states explicitly that it is their responsibility to do so.
Data Protection Privacy Impact Assessments
- Privacy Impact Assessments (PIAs) can help organisations identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy.
- Employers will be required to carry out PIAs if their proposed activities are likely to result in a high risk to the rights and freedoms of individuals. This will affect various aspects of HR activity, particularly in the recruitment and post-employment arenas – it is easy to see how vetting and assessment activities in recruitment, for example, might trigger a PIA.
Want to know what this means for you in practical terms and what action to take next? We offer support through:
- Half day training sessions for your HR team and line managers – delivered by our Jaluch team.
- Train the trainer sessions and materials for your trainers to roll out Data Protection Training.
- Updated GDPR Data Protection Policies, sample Privacy Notices, Guidance, Letters, Forms and audit – available on DocsWizard.
If you would like to discuss further then please do not hesitate to call a consultant on 01425 479888.
Sign up to Docs Wizard for 12-months for £249 to include letters, contracts, policies, management guides and data protection GDPR documents.
The information contained within this article is for general guidance only and represents our understanding of employment and associated law and employee relations issues as at the date of publication. Jaluch Limited, or any of its directors or employees, cannot be held responsible for any action or inaction taken in reliance upon the contents. Specific advice should be sought on all individual matters.