In this article, Kathy Daniels, employment law author and lecturer, looks at the imminent introduction of the General Data Protection Regulation, and explains what you should be doing to prepare for this.
The General Data Protection Regulation (GDPR) is a framework for data protection which applies to all EU Member States. It becomes enforceable on 25 May 2018, and the Government has confirmed that it will apply regardless of Brexit.
The Government has introduced a new Data Protection Bill. This replaces the Data Protection Act 1998, enforces the GDPR and also covers the requirements of the EU Law Enforcement Directive. It is expected that we will have draft legislation by the end of the year, ready for implementation in time for 25 May next year.
Being compliant with the GDPR is very important because the penalties for breaching the GDPR will be harsh — up to £20 million or 4% of the annual global turnover of the organisation, whichever is greater. There is a need to prepare now, because you will have to be compliant from 25 May 2018. Being compliant with the current Data Protection Act 1998 (DPA) will certainly be a good starting point, but there are differences in the GDPR which you need to be aware of.
What is covered?
The GDPR applies to controllers and processors of data in the same way as the DPA. If you are currently covered by the DPA you will also be covered by the GDPR. In addition, to applying to controllers and processors of data in the UK, however, the GDPR also applies to the processing of data within the whole EU. It also applies to the processing of data by organisations who are not based within the EU but who are providing goods or services to individuals or organisations within the EU.
What does the GDPR apply to?
As with the DPA, the GDPR applies to the processing of personal data. However, the definition of personal data in the GDPR is wider than in the DPA. It includes all data that identifies an individual. This includes the data that is currently covered by the DPA such as personnel files and customer lists, but it could also cover an IP address, or a pseudonym if an individual could be identified from this.
It applies to both manually and electronically held data. As with the DPA there is a specific category of “sensitive personal data” but this is extended to include genetic or biometric data which could identify an individual.
What are you required to do?
The basic requirements of the GDPR are the same as for the DPA. You must store the data securely, you must not share it without the consent of the individual it refers to, and you must not process it without the individual’s consent. However, there are some additional requirements in the GDPR which are the:
controller must keep a record of the personal data that is being stored and how it is being processed
most notable change is to accountability. You must be able to show that the way that you have designed your processes complies with the GDPR. These processes must include adequate systems, clear basis for decisions, training those involved in data handling and having relevant contractual provisions in place that relate to any data that you are holding.
An important area to address — consent.
This is a big area to address, and probably the one that most employers will need to review. To comply with the GDPR you are not able to say that you can process the data because no one has objected to you doing so, or because you have sought general permission from employees or others for the processing.
You will be required to have clear and unambiguous affirmative consent to holding and processing the data. “Affirmative” is important — this means that you cannot ask someone to “untick” a box if they do not give consent, for example. There must be something that they are required to do to specifically give consent.
This does mean that you might need to review the consent that you currently have to hold and process data. Thinking about employees specifically, this might be a good opportunity to ask individuals to confirm that the data that you hold about them is correct (always useful for you to have up-to-date information) and then to ask them to sign an agreement that allows you to hold and process the data.
What actions should you take?
The Information Commissioner’s Office sets out 12 steps that you should take to prepare for the GDPR. In summary, these 12 steps are the following.
Make those responsible for holding and processing data in your organisation aware of the GDPR.
Audit the data that you hold. Identify any issues that you might need to address.
Review your current privacy policies.
Check your procedures to ensure that they cover all employee rights, including the right to have data about them deleted.
Review the process that you have in place for subject access requests.
Make sure that you have a lawful basis for processing data, and review your policies if necessary.
Review the consent that you currently have for any data that you hold, and consider whether it meets the more stringent requirements of the GDPR. If it does not, seek new consent.
If you hold any data about children review your procedures and see if they need altering to be more specific about parental/guardian’s consent.
Put procedures in place to detect, report and investigate any data breaches.
Familiarise yourself with the ICO’s Code of Practice on Privacy Impact Assessments.
Make sure that you have a designated person in your organisation with responsibility for data protection.
Review whether you need to change your data protection procedures given the breadth of the GDPR in applying to all countries in the EU as well as countries outside the EU who are suppliers into the EU.