As an employer, you should be aware that the General Data Protection Regulation (GDPR) will come into force on Friday 25th May 2018. The GDPR is designed to standardise data protection laws across the European Union, and will introduce significant changes in how businesses must manage personal data.
Why is the GDPR being introduced?
Data protection laws across Europe have become outdated over the last two decades due to the rise of globalisation and the rapid advances in technology. Individuals’ data is potentially vulnerable when being transferred between EU member states with differing levels of security in place.
Cyber-attacks are now far more common, and people are now more concerned about how their data will be used. To address this, the GDPR requires organisations to be more vigilant regarding data protection and more transparent with how they use data.
Will the GDPR apply to businesses in the UK after Brexit?
Even though the UK is set to leave the European Union, employers in this country will still have to adhere to the GDPR. As part of the implementation process for the regulations, the current Data Protection Act 1998 will be replaced by a new Data Protection Act in 2018 that absorbs the terms of the GDPR and will work in addition to it. The new DPA will also cover areas outside of the GDPR, such as national security.
Employers in the UK should prepare now for the new legislation, as the UK will still be a member of the EU when it comes into force. The GDPR doesn’t just apply to businesses based within the EU – any organisation that holds and processes the personal data of individuals from within the EU must adhere to it.
What will employers need to do?
Here are some of the changes that employers will have to make to comply with the GDPR:
More detailed privacy notices – Under current legislation, employers have to provide employees and job applicants with a privacy notice. The GDPR requires them to go further and provide more detailed information on what the data will be used for, how long it’ll be stored for, if it will be transferred to other countries, and explain rights on having personal data deleted or rectified.
Subject access requests – Employers should update their procedures for handling any subject access requests made. They will not be able to charge for complying with a request anymore, and have a month to respond. Any refusals will have to be explained, along with a statement that the individual has the right to complain to the supervisory authority.
Restrictions to consent – Many employers justify using their employees’ personal data on the basis of employee consent. However, because of the subordinate nature of employer-employee relationship it could be argued that consent is not actually freely given. The GDPR will introduce further legal requirements for employers to use personal data, and employees will be able to withdraw their consent at any time. Employers will need to meet the new legal requirements to justify processing the data.
New breach notification requirement – The GDPR will make it mandatory to report data breaches. In the case of a breach, such as disclosure of personal data or an accidental or unlawful loss of data, an employer will have to notify the data protection authority within 72 hours. If the breach will risk the rights and freedoms of the individuals, they will also need to be informed.
Data protection officers – Organisations that regularly monitor or process large volumes of data will need to appoint a data protection officer. The officer should advise on GDPR obligations, compliance, and liaise with the data protection authority.
What happens if my business is not compliant?
Breaches of the GDPR can lead to heavy fines depending on the nature of the breach. A ‘tier one’ breach is when the authorities consider the data at risk to be highly important, and could be up to €20 million, or 4% of the company’s annual worldwide turnover depending on which is greater.
A ‘tier two’ breach is any other breach, which could lead to fines of up to €10m (£8.6m) or 2% of the previous year’s global annual turnover.