One year has passed since the General Data Protection Regulation (GDPR) came into force in May 2018.
GDPR was the biggest change to data protection laws across the European Union in 20 years and introduced significant changes in how businesses must manage personal data.
Cyber-attacks have become far more common, and people are now more concerned about how their data is used. To address this, the GDPR required organisations to be more vigilant regarding data protection and more transparent with how they use data.
Has GDPR made a difference?
Employers have become noticeably more aware of how they handle data. This was immediately visible in the build-up to the changes in legislation, with many organisations emailing their contacts en masse requesting permission to use their data and review privacy settings.
In many cases, that didn’t need to take place as ‘consent’ is only one of the six lawful grounds for data processing. However, it seems that many data holders felt it was better to be safe than sorry.
Breaches of the GDPR can lead to heavy fines depending on the nature of the breach. A ‘tier one’ breach is when the authorities consider the data at risk to be highly important, and could be up to €20 million, or 4% of the company’s annual worldwide turnover depending on which is greater.
A ‘tier two’ breach is any other breach, which could lead to fines of up to €10m (£8.6m) or 2% of the previous year’s global annual turnover.
Over the first year, fines have amounted to a total of €56 million. Most of this is attributed to Google, who were fined €50 million by French data regulator CNIL for “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation”.
The majority of reported cases have been linked to data breaches, such as in the case of Morrisons when an employee stole data including names, addresses, salaries and bank details of almost 100,000 staff.
What do employers need to do?
Here is a selection of the regulations employers have to follow to be GDPR compliant:
Detailed privacy notices – Under the former legislation, employers had to provide employees and job applicants with a privacy notice. GDPR requires them to go further and provide more detailed information on what the data will be used for, how long it’ll be stored for, if it will be transferred to other countries, and explain rights on having personal data deleted or rectified.
Subject access requests – Employers can no longer charge for complying with a request, and have a month to respond. Any refusals have to be explained, along with a statement that the individual has the right to complain to the supervisory authority.
76% of respondents in a survey by Cezanne HR said they have witnessed an increase in subject access requests (SARs) since the regulation came into effect.
Restrictions to consent – Many employers used to justify using their employees’ personal data on the basis of employee consent. However, because of the subordinate nature of employer-employee relationship it could be argued that consent was not actually freely given.
GDPR introduced further legal requirements for employers to use personal data, and employees are able to withdraw their consent at any time. Employers need to meet the new legal requirements to justify processing data.
New breach notification requirement – GDPR makes it mandatory to report data breaches. In the case of a breach, such as disclosure of personal data or an accidental or unlawful loss of data, an employer has to notify the data protection authority within 72 hours. If the breach will risk the rights and freedoms of the individuals, they will also need to be informed.
Data protection officers – Organisations that regularly monitor or process large volumes of data need to appoint a data protection officer. The officer should advise on GDPR obligations, compliance, and liaise with the data protection authority.