With only 6 weeks to go before the GDPR come into force and potentially hefty fines for non-compliance, employers need to take these practical steps now.
What is the GDPR?
The GDPR stands for the General Data Protection Regulations and is a European regulation due to come into force in all the member states, including the UK on 25 May 2018.
We operate in a very different and more technologically advanced world than when the data protection laws were first introduced in the late 1990s. For example smartphones, tablets and social media are now used by individuals on a daily basis. Biometric screening of staff is increasingly part of corporate wellness programmes. The way in which organisations store and manage data has changed beyond recognition.
The upshot is that the Data Protection Act 1998 (DPA 1998) is no longer considered fit for purpose. The GDPR is intended to provide a common set of rules across the European Union which can meet the changing data protection landscape of the modern world.
How do the GDPR affect me as an employer?
The GDPR do not just apply to data in relation to employees but also job applicants, workers, self-employed consultants and contractors.
Employers process a lot of personal data of their staff on a day to day basis. For example background checks, payroll administration, insurance, performance reviews, disciplinary and grievance investigations.
The GDPR go much further than the DPA 1998 to protect data subjects and contain more stringent requirements for employers to comply with. For example it is no longer enough for employers to simply include a clause in employees’ contracts of employment consenting to the processing of their data.
The maximum fines for non compliance have increased hugely as well: from £500,000 under the DPA to an astronomic 20 million euros (or up to 4% of annual worldwide turnover, whichever is higher).
What steps should you be taking now?
The good news is that it is not too late for employers to start taking practical steps now to meet the GDPR compliance requirements. The Information Commissioners Office is likely to be more stringent on those businesses who have taken no steps at all to comply with the GDPR than those who can demonstrate that they have taken steps towards compliance, even if these are not developed until after the GDPR comes into force.
GPDR is not just an HR issue – it affects the whole business. Get buy-in from your organisation and appoint a data protection lead to oversee the process of compliance and to ensure that, going forwards, the GDPR is complied with.
Carry out a data review. It is important to work out exactly what personal data the business processes, why it is collected, where that data is stored and how long for.
Consider which legal bases the business is going to rely on for processing personal data going forward, bearing in mind the data protection principles. These are:
1. Consent of the data subject
2. Necessary for performance of a contract
3. Compliance of a legal obligation
4. Protection of the vital interests of data subject
5. In the public interest
6. Necessary for legitimate interests
Keep a record of legal bases which the business seeks to rely on to prove compliance. The ICO can request evidence of compliance at any time after 25 May 2018.
Carry out a review of your contracts of employment and policies to ensure compliance. With contracts of employment this will involve the removal of blanket consent clauses. Remember that for existing staff you will need to inform and consult with staff when seeking to change terms and conditions. Cite which of the grounds you will be relying on for processing data.
Review and update policies in the Staff Handbook to comply with the GDPR. This will most obviously be the data protection policy but also other policies and procedures need to be considered (for example: disciplinary procedures should be updated to take into account breaches of the GDPR and homeworking policies to take into account data security and protection).
Ensure regular reviews of contracts and policies and training of personnel on the GDPR to ensure compliance.
At Jordan's Corporate Law we can assist you with every aspect of compliance of the GDPR, including advising on data reviews and the legal bases for processing data, reviewing and amending contracts and policies, including advising on implementation, and training staff and key personnel.
Please contact Victoria McMeel, Head of Employment (email email@example.com) or Simon Bates, Head of Commercial (email firstname.lastname@example.org) for more information about how we can help your business.