Do you still have questions about the coming new General Data Protection Regulation (GDPR)? Maybe you are not sure about what it will mean for your business and the measures you need to take to ensure your company doesn’t come under fire.
This is the new governing legislation for collecting and processing personal data in the EU.
Very soon – in fact, it comes into effect on 25 May 2018 for all EU Member states, including the UK. The standards will apply after Brexit.
The government has also published the Data Protection Bill which will supplement the GDPR and will replace the old Data Protection Act 1998.
The GDPR applies to ‘personal data’ – this means any information which relates to someone who can be identified.
Whilst many of the principles that are already familiar under the Data Protection Act 1998 will remain the same, the GDPR has new requirements which will impact on the issue of consent and compliance.
Unfortunately, not – all employers will have to comply, regardless of their size if you process personal data.
This is all going to become a lot more complicated – the GDPR will restrict the use of consent as a justification for processing data. This is going to make life more difficult as the GDPR states that consent must be freely given, specific, informed and unambiguous.
General clauses in employment contracts trying to state that consent is given will no longer be a valid legal basis to justify processing employee data.
We will provide a further update on the issue of consent.
Currently, employers are required to provide employees and job applicants with a privacy notice setting out certain information. Under the GDPR, employers will have to provide more detailed information.
We will provide a further update with more details on the changes to privacy notices and changes to subject access requests.
No – the GDPR will impose a new mandatory breach reporting requirement and you will have to notify any possible breaches within 72 hours, whether the investigation is complete or not.
There is the potential for significant penalties to be imposed – up to 20 million euros or 4% of annual worldwide turnover, whichever is the greater.
No – in a recent case involving Morrisons, they were held to be vicariously liable for the actions of a disgruntled employee who leaked the details of 100,000 employees. The case is under appeal but if the appeal fails, Morrisons could be at risk of a significant fine.
Basically, this means that an individual can request for their data to be removed or deleted when there is no compelling reason for a business to continue processing that information. This has been watered down a little and in the GDPR legislation, it has been termed as the ‘right to erasure’.
This right will apply in certain circumstances:
- when the data is longer necessary or relevant;
- when the individual specifically withdraws consent to processing
- personal data has been unlawfully processed in breach of the GDPR; and
- the data must be erased in order for a controller to comply with legal obligations
If any of the above conditions apply under this right of erasure, it is the data controller’s responsibility to delete and remove the data. This should be done without any unreasonable delay but definitely within a month unless specific circumstances apply.
It is worth noting that this right is not absolute, and it is not unlimited either.
The GDPR will have a significant impact on the way your firm processes personal data and will require considerable effort to comply with. Fortunately, Aeris Employment Law can help you, please contact Karin Henson on 0121 392 7479 or use our online contact form and we will give a callback.