General Data Protection Regulation (GDPR) – Data Protection Changes
When the General Data Protection Regulation comes into force on 25 May 2018, it will increase the burden on employers in terms of the control of personal data usage within a company and as we have previously advised the introduction of larger fines (either £20 million or 4% of global revenue, whichever is greater), means companies need to ensure they are prepared.
From May 2018, there are going to be 80+ new requirements under the GDPR and HPC have picked out some of the key requirements that companies need to be aware of, particularly around employee data:
- A requirement to make a notification of ‘personal data breaches’ to the Information Commissioner within 72 hours of becoming aware of them. The term ‘personal data breach’ covers all kinds of commonly occurring workplace mistakes such as a laptop or file left on a train or an e-mail sent to an incorrect address. It’s important for companies to remind employees that even apparently minor incidents must be reported internally if data has been lost or compromised.
- Records must be kept of all data breaches and any action taken, even where the obligation to notify the regulator is not triggered. Importantly, if there is a high risk to the data subject (for example the clients or customers named in the lost file) they must also be told.
- Companies will no longer be able charge an employee for submitting a Subject Access Request (SAR) to access their own personal date i.e. £10 admin fee. The timescale to respond to a SAR will reduced from 40 days to one month, although an extension of two additional months is available if necessary where the request is complex.
- Under the General Data Protection Regulation employees are considered to be vulnerable, therefore, GDPR has placed a greater emphasis on employees giving consent to companies to use their personal data.
The General Data Protection Regulation specifically defines consent as:
‘freely given, specific, informed and unambiguous indication of a data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement of the processing of personal data relating to him or her.’
This means that for a lot of companies the current clauses used in their employment contracts or data policies will no longer be classed as an employee giving consent for a company to hold and process data on them for several different reasons. Companies will need to look at what data it requires and the purposes for which the data will be processed. Once this has been done, companies will need to inform their employee in a clear and concise way what their data is being used for and gain their consent for each type of processing of data. Companies can no longer rely on silence/pre-ticked boxes i.e. ‘if you have not tick this box, you agree for the company to hold data on you’.
- Companies will have a duty to inform employees they have the right to withdraw their consent at any time for the company to hold data on them and companies have to make this process as easy as possible.
- Although employees have always been able to request any incorrect data a company holds on them to be changed, under the data rectification rights, the data controllers will now face a mandatory obligation to notify other third parties in the event that data is amended.
- One new right which has the potential to cause challenges to companies, is the right to request all their personal data to be deleted. This is fine if you only hold data on one system, but most companies will hold data on several different systems including with third parties and therefore companies need to consider putting in a procedure to ensure data is deleted.
Moving forward the regulations mandates that at the time of personal data being collected, the data controller must provide a host of information about why and how the data is collected, including details of:
- the legal basis upon which personal data will be processed;
- how long personal data will be retained;
- if, and the extent to which, personal data will be transferred overseas, and, in the event that personal data will be transferred outside of the EEA, the appropriate safeguards in place to protect that data; and
- the mechanism by which an individual would make use of their data subject rights, including:
- how to make a subject access request; and
- how to request the deletion or rectification of personal
All HPC clients will be receiving an updated data policy along with detailed guidance shortly but in the meantime should you have any queries, please do not hesitate to contact the HPC team for further information.
T: 0844 800 5932
For HR news and updates follow us on Twitter @HPC_HRservices