The General Data Protection Regulation (”GDPR”) comes into effect on 25th May 2018 The GDPR will have an impact on businesses of all shapes and sizes if they handle information regarding customers, clients or employees (including former employees, job applicants etc )
The GDPR will regulate the processing of all personal data across all EU member states. The government has confirmed this will be adopted despite Brexit.
Personal information is anything that allows a living person to be identified either directly or indirectly and can include a name, address, email address, financial details, phone number and even job title. The GDPR refers to sensitive personal data as “special categories” of personal data including details of trade union membership, political opinions, racial or ethnic origin; sex life, religious beliefs or other beliefs of a similar nature, physical or mental health or condition;
For employers this means that the GDPR requires detailed and more extensive information to be provided to employees including (but not limited to):-
- The legal basis for processing personal data
- The identity and contact details of the data controller
- The period the data will be stored
- The rights of the data subject e.g., access to data; rectification or deletion of personal data; portability and how to complain to the regulator
- Recipients of personal data
- If personal data is to be transferred to a non-EEA country, the legal basis for doing so and the appropriate safeguards in place to protect the data.
Employers must provide this information in writing.
There is a separate requirement for an employer to implement and maintain a policy detailing the processing of sensitive personal data and how it is in accordance with the data protection principles . It is vital that employers review existing data protection policies and update them prior to the implementation of the GDPR in May 2018.
Currently the ICO’s enforcement ceiling is £500,000. This is set to rise dramatically to 4% of global annual turnover or €20 million whichever is the higher. A data subject will be entitled to compensation even if there is no actual financial loss (i.e. damages purely for distress is sufficient).
How to comply
Employers should consider the following checklist of action:-
- Who is in charge of data protection in your business?
Decide is responsible for registering with the Information Commissioner and ensuring the firm has good data protection procedures in place.
- What personal information does your business store?
Carry out an audit to review and record the categories of data you hold.
- Assess risk
What systems do you have in place to cover any possible breach of security and improper processing including failing to delete personal data when you no longer require it? Do you have appropriate privacy notices and policies in place?
- Take Action
- Review the data protection policy and update in accordance with the GDPR requirements. Also ensure your website terms and conditions are compliant.
- Review and update data privacy notices for employees.
- Circulate policy and privacy notices to all staff for review and sign off.
- Train staff regularly on data processing security requirements.
- Check the business has a safe and secure technical system in place for storing personal data.
- Check that suppliers are GDPR compliant reviewing standard terms of business and engagement letters where necessary particularly if your business outsources HR or payroll services.
- Review marketing databases.
- Review HR practices (including recruitment processes when sourcing CVs) and documentation.
If you require any advice in relation to the above or, indeed, any other issues relating to your business please do not hesitate to contact Lisa Branker in our Employment & HR Department on 0191 5670465 or by email [email protected] or [email protected].