GDPR is coming into force.

Last week saw the start of spring and, while it was a shame to lose an hour in bed on Sunday, I have to say it was worth it to have longer evenings. The start of spring is a time for change and excitement in most areas of life. The same can’t always be said for law but there are some new regulations set to come into force which have got us quite excited. The law surrounding data protection is set to change and these changes will affect many of our clients as well as businesses in general. The EU-wide General Data Protection Regulations (GDPR) will come into force on 25 May 2018 via the Data Protection Act 2018. As with any new regulations it can be a minefield to work through and so here is a summary of the regulations which you should consider to ensure that your business is compliant.

Employment related data

As an employer you will process the personal data of employees for numerous reasons. You will need to think about how you do this once the regulations kick in to ensure that the collection of data is compliant with GDPR and you will have to meet at least one of the conditions for lawful processing. One of these conditions is consent, which has invariably been relied upon by employers looking to comply with the Data Protection Act 1998. But the extent to which employers can continue to rely on this ground is now uncertain. This is because the GDPR requires consent to be “freely given, specific, informed and unambiguous”. Due to the imbalance in the employment relationship, it is widely thought that consent will not, in fact, be taken to be “freely given” in this context. Therefore, employers should look at other conditions to satisfy the lawful processing test.

Another such ground for lawful processing is where it is necessary for the performance of the employment contract. This will be applicable in circumstances such as, but not limited to, paying employees and providing them with their benefits and complying with HMRC reporting obligations. Data can also be processed under the ground of Legitimate Interests in situations where the employee reasonably expects that data processing may take place for such a purpose.

Accountability

With these new regulations you will hear the word “accountability” quite a lot as it is a key concept under GDPR. It is vital that employers demonstrate compliance with this but how can this be achieved? Data protection audits are one way of doing this and involve assessing existing and / or proposed data processing measures. Things you should consider include categories of personal information; the purpose of collection; and what happens once the data is collected. Data protection policies should be implemented to ensure both employer and employee are aware of their responsibilities.

Some employers will be legally required to have Data Protection Officers (DPO), including those in the public sector. However, even where you are not required to have a DPO, it is best practice to appoint an individual to be responsible for monitoring GDPR compliance and to deal with any data breaches, especially as potential fines are set to increase from the current maximum of £500,000 to the greater of 20,000,000 euros or 4% of worldwide turnover.

Data breach

This is something that you will want to avoid. However, in the event of a data breach, employers have a responsibility to notify the Information Commissioner’s Office in situations where there is a risk to the rights and freedoms of individuals. This needs to be determined on a case by case basis and relevant considerations will be the loss of control to the individual affected, as well as the risk of identity theft and damage to reputation. The individual affected by the data breach should also be notified in circumstances where the risk is deemed to be “high”. There are exceptions to this requirement, for example where the data is unintelligible, such as encrypted data, or where the risk is unlikely to materialise, such as where an email sent to an unintended recipient has been successfully recalled before being opened.

Next steps

So with GDPR coming into force soon, it is vital that employers begin to take steps in readiness for its inception. If you need any help with reviewing and updating your current arrangements or with updating documentation such as employee handbooks, polices and contracts, then we can offer assistance.