New laws come into force this Friday in the UK (25 May 2018) known as the General Data Protection Regulations (GDPR) and are applicable across the European Union. The new Regulations represent a wholesale update of the current UK laws on data protection which date back to 1998.
For many organisations the mere mention of ‘GDPR’ fills many with complete dread. Recent statistics show that less than a third of organisations feel that they are ready for GDPR and half who know that GDPR will apply to them admit a lack of understanding of the data that they collect and process. Other problems include gaps in employee training with many not understanding the new responsibilities that come with GDPR.
More worrying for organisations are the massive financial penalties that they could face if they are found to be in breach of the new GDPR laws. The maximum penalty is 20 million Euros or 4% of global annual turnover. Although this is worrying for many organisations there is a lower tier fine of 10 million Euros or 2% of global turnover.
It is however likely that higher tier fines will be reserved for the more serious infringements and that for the vast majority of organisations fines will be issued by the Information Commissioner’s Office (ICO) on a case-by-case basis in the spirit of being ‘effective, proportionate and dissuasive’.
The reality however is that the ICO will continue to operate in a similar vein to how it has been doing and that fines will be a last resort. This has been confirmed by Elizabeth Denham – the current Information Commissioner although she has dismissed predictions that there will be a period of grace where the ICO will be more lenient, as she believes that businesses have had two years to prepare for GDPR.
The good news is that if you are currently compliant with data protection requirements then it shouldn’t be too traumatic to extend compliance to the new GDPR requirements.
This article is therefore designed to gently point you in the right direction and to highlight the main changes that you need to be aware of by way of assisting with updating any policies and procedures and to promote general compliance with GDPR.
There is a lot of information out there on all things GDPR however the Information Commissioner’s Office (ICO) has set out some useful guidance and has made reference to 12 steps that it recommends that organisations should adopt. These 12 steps are common-sense but there are some new steps that organisations need to take to ensure compliance.
Organisations need to ensure that decision makers and key personnel are aware of the new legislative requirements that are GDPR, their likely impact and to identify areas that are likely to cause difficulties and to review any resourcing difficulties that prevent compliance. The implementation of GDPR could have significant resource implications for larger organisations if left to the last minute.
The Information that is held
Organisations need to document the personal data that they hold and where that data has come from and with whom it is shared. By way of example when recruiting candidates for employment a record should be kept of CV’s received and where they came from and with whom they are shared. Other personal data can include employee bank account details, national insurance numbers, and sensitive data for example sex race and ethnicity. It is a good idea to organise an information audit across the organisation or within particular business areas.
Update and communicating Privacy notices
It is a good idea to review and update privacy notices and to plan ahead in time for the implementation of GDPR. In particular organisations should set out in their privacy notices the legal basis for processing personal and other data, how long such data is retained and also to clarify the right to complain to the ICO. It is important for information to be provided in concise, easy to understand and clear language.
The rights of individuals including employees
Individuals including employees have many rights under GDPR including the following:-
. The right to be informed
. The right to access data held on themselves
. The right to have inaccuracies corrected
. The right to have information erased known as the right to be forgotten.
. The right to restrict processing
. To right not to be subject to automated decision making and profiling.
. To right to prevent data being sent to third parties for the purpose of indirect marketing.
. The right to object and
. The right to data portability
Changes to Subject Access Requests (SAR’S)
There are changes in this arena with the abolition of the £10 fee although organisations can charge for excessive requests or even refuse such requests. There will also be a month within which to respond to such requests in place of the current 40 days time limit. There is also the obligation to provide data subjects such as employees with additional information, for example data retention periods and on their legal right to have data corrected that is inaccurate. Organisations should consider whether it is feasible or desirable to develop systems that allow individuals to access information on-line which should prove less cumbersome than having to provide and arrange large volumes of physical data.
Lawful basis for processing personal data
The ICO recommends that organisations should review the types of data that they are processing and to document the legal basis for carrying out each type of processing. These should also be set out in privacy notices. It should be possible to review the types of processing activities carried out and to identify the lawful basis for doing so.
Consent to process data must be provided freely and explicitly and the ICO guidance suggests that organisations should review how they are seeking, obtaining and recording the consent of individuals including employees. The GDPR standards for consent are that it needs to be specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn. In an employment context this can be done as a separate letter for an employee to sign when they agree to any offer of employment which does not form part of any contract of employment. Consent cannot be inferred from silence, inactivity or pre-ticked boxes it must be explicit consent from data subjects.
This is a new requirement under GDPR. ICO guidance indicates that the UK is likely to legislate to provide for anyone under 13 to be classified as a child and to provide for special protection for children’s personal data especially relating to commercial internet services. GDPR requires organisations to introduce systems for verifying individual’s ages and to obtain parental or guardian consent. Any privacy notices also need to be in clear simple language that children will understand.
There will be a general duty to notify the ICO of certain breaches for example any breaches resulting in damage such as identity theft or breaches of confidentiality. The ICO recommends that procedures are in place to detect, report and investigate any personal data breaches. Breaches should for example be notified to the ICO which result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage to an individual.
Data Protection by design and data protection impact statements
It is recommended that organisations familiarise themselves with the ICO’s Code of Practice on Privacy impact statements as well as the latest guidance from the Article 29 working party and to establish how to work out how and when to implement them within your organisation. A privacy impact statement is required in situations where data processing is likely to result in a high risk to individuals for example:-
. Where new technology is being deployed
. Where a profiling operation is likely to significantly affect individuals; or
. Where there is processing on a large scale of special categories of data
It is therefore vital that all organisations address any high risks involved in the processing of data to ensure that they can address those risks.
Data Protection Officers
It is important that organisations designate someone to take responsibility for data protection compliance and to clarify where they will sit in the organisations structure for example in the legal department or regulatory affairs by way of example. Consideration should be given to formally designating a Data Protection Officer.
If the organisation operates in more than one EU member state with cross-border processing then a lead data protection supervisory authority is recommended. A supervisory authority must also be identified in the State where the main organisation’s establishment is located.
Time is ticking for organisations to get their houses in order and it is hoped that this article will prove useful in addressing some of the concerns and to pinpoint what is important in complying with the GDPR.
Steven Eckett is Head of Employment at Meaby&Co etc for timely advice: email@example.com or call 0207 703 5034.
Meaby&Co is authorised and regulated by the Solicitor’s Regulation Authority (SRA Number 447880) and registered in England and Wales with registered number OC322672 at 2 Camberwell Church St, London, SE5 8QY.