Don’t underestimate what is involved in achieving compliance.
May 25th, 2018 may seem such a long time away, after all, we are still to have Christmas yet, BUT, when we really take time to think about how much personal data we hold in our workplaces, does 25th May 2018 really give us enough time to assess what we hold, how we hold it, how long we should be holding it for, how to destroy it, how to catagorise it, how to inform staff what we are doing with it, re-writing data polices, informing external parties who provide personal data on how we hold it, how long we hold it for, how we destroy it, how we catagorise it ….. Got you thinking now, haven’t I?
When the new piece of legislation comes into force, which will comprehensively change the current Data Protection Rules, requirements on organisations will be massive and with much more severe penalties for failing to adhere to the many concepts contained within it.
The GDPR will apply to any organisation who processes the personal data of individuals in relation to offering good or services or monitoring their behaviour. Organisations will need to consider:
More Detailed Privacy Notices
Current legislation requires employers to provide employees and job applicants with a privacy notice containing certain information. The GDPR will require employers to provide more detailed information such as:
• How long the data will be stored for
• If the data will be transferred to other countries
• Information on the right to make a subject access request
• Information on the right to have personal data deleted or rectified
Restrictions On Consent
Many organisations process data on the basis of employee consent, this is usually covered by a brief statement in a contract of employment which, when the employee signs, is agreeing to not only their terms and conditions of employment but also that employer processing data in line with the Data Protection Act 1998. GDPR will require more prescriptive detail for obtaining consent, and employees must also be made clear that they can withdraw their consent at any time.
New Breach Notification Requirements
The GDPR imposes a mandatory breach reporting requirement. In the event of a data breach, the employer must provide certain information and notify the data protection authority within 72 hours of the breach. Where the breach poses a high risk to the rights of individuals, those individuals must also be notified.
Data Protection Officers
Public authorities and private companies in regular monitoring and processing of large scale data will need to appoint a Data Protection Officer.
Data Protection By Design and Default
Organisations will now have to take account of and embed data protection risks into the process of designing and operating policy, process, product or service. This means looking at data protection from the outset to ensure that processing complies with GDPR. Data protection by default means that only data necessary for each specific purpose is processed. This means ensuring that:
• Only the minimum amount of personal data is collected and processed for a specific purpose
• The extent of the processing is limited to that specific purpose
• Personal data is stored for no longer than is necessary
• Access to data is restricted to that necessary for each purpose
Legal Basis For Processing
There is a greater emphasis on the legal basis for processing as processing by consent will be more problematic, therefore, employers will need to rely on other grounds. This could be that processing is necessary for:
• Compliance for legal obligations
• The performance of a contract
• The purpose of the legitimate interests of the employer or third party
An example would be where an employer needs to process data to provide for statutory employment entitlements such as annual leave, maternity or sick pay.
Data Subject Access Requests
Currently, employees have a right under the Data Protection Act to obtain information from their employer to confirm whether their personal data is being processed, information on their data and a copy of the data being processed. The GDPR requires employers to provide requested information without undue delay (they currently have 40 days), free of charge (the can currently charge £10) and with the employer having systems in place to ensure they comply with access rights.
One of the biggest changes is the accountability principle which requires employers to demonstrate compliance with the data protection principles. This requires employers to keep extensive records of data processing operations which must be produced to the supervisory authority for inspection on request.
Employers should create a data register containing all information about all personal data processed in the organisation, including:
• The purpose for which the data is processed
• A description of catagories of data subjects and catagories of personal data, including if the data is sensitive data
• Catagories of the recipients of the data
• Any transfer of data outside of the UK
• Anticipated storage periods for the different catagories
• The technical and organisational security measures to safeguard the data
Automated Decision Making
Employees have the right not to be subject to a decision made solely by an automated processing system where that decision significantly affects them e.g formal action under sickness absence policies due to Bradford factor scoring, formal performance action derived from a performance monitoring system etc.
Employers need to be careful not to underestimate the work involved in preparing for and implementing the new requirements under GDPR and should be looking to set up a working group or team to start tackling the many actions and requirements soon.