You will probably have heard of the General Data Protection Regulation (GDPR) and may even know that it comes into force on 25 May 2018. However, do you know the practical steps that you need to take to ensure compliance? Stuart Snelson, Partner and Head of Employment, considers the key changes and actions that employers need to take right now.
The GDPR is European legislation that will govern data protection and introduces significant changes to the current regime in the UK. A lot of the commentary around the GDPR relates to marketing and customer connections. However, this article looks at the practical steps that businesses will need to take to ensure compliance with the GDPR from an employment perspective.
The GDPR expands the definition of personal data and makes it clear that data can only be processed if you have legitimate interests in doing so or explicit and freely given consent. In the employment context, it is unlikely that you will want to rely on consent and instead should ensure you have legitimate interests in any data processing. Another key aspect is the requirement to ensure that employees are aware of the data you hold on them and what you do with it. Finally, there are significantly increased penalties including a potential fine of up to €20m for breach of the GDPR.
So what should you do to ensure compliance? We recommend the key actions for employers are as follows:
- Review what personal data you hold and how it is processed.
- Consider why you process personal data and whether you have any legitimate interests in doing so.
- If you don’t have a legitimate interest, then either stop processing or seek consent.
- Review any consents held and consider whether they are freely given. If not consider whether data could be processed for legitimate reasons as above as an alternative.
- Produce a fair processing notice (also known as privacy notice) setting out what data is held and the purpose for which it is processed.
- Review your procedures for allowing access to personal data. Be aware of the reduced time you have to deal with any requests and the fact that you can no longer charge a fee.
- Prepare a data breach action plan so you can take action fast if any data breach occurs.
- Have procedures in place to deal with requests under the right to be forgotten.
We recommend that all employers carry out an audit now to ascertain what personal data they hold and how it is processed. An assessment can then be made as to what needs to be done to ensure this processing is compliant with the GDPR. We appreciate that this can be a daunting task and we are able to assist you with this GDPR audit by offering an initial meeting for a fixed fee of £250 plus vat. At this meeting we will consider how you currently process personal data, whether this is lawful and what you need to do to be GDPR compliant. Following this meeting we can then suggest what needs to be done and provide further support on a fixed fee basis. This may include assessing if consent is required, considering legitimate interests and updating your privacy notices, contracts or handbooks.
If you would like help with your GDPR audit or any employment matter then please get in touch by emailing firstname.lastname@example.org or call 01908 689318.