Related Practices

GDPR – Are You Ready?

September 12, 2017

With just over eight months to go until the EU General Data Protection Regulation (GDPR) comes into force (on May 25, 2018), now is a good time to take stock and ensure that your organisation’s HR practices will be compliant with the new regime.

Our previous update identified some of the key changes that will be introduced by the GDPR and what employers needed to do to prepare for these.

In today’s update we address some of the questions that we are still receiving about GDPR compliance:

1. Can we just ignore GDPR given that Brexit is coming?

No. The UK Government has confirmed that Brexit will not exempt UK organisations from GDPR compliance. Indeed, the Queen's Speech in June announced government plans to introduce a Data Protection Bill, which will provide for the repeal of the Data Protection Act 1998 (DPA) and incorporate the GDPR and related UK derogations into UK law.

2. The GDPR doesn't apply until May 2018, so have we still got plenty of time?

Eight months seems like a long time, but the GDPR imposes substantial additional obligations on companies and there is a lot of work to be done to ensure compliance. As identified below, there will be changes required to policies, procedures and IT systems. Staff who process data will also need to be trained on the new requirements.

3. What will change?

By way of high level summary the key changes are as follows:

Transparency: The GDPR requires more extensive information to be given to individuals about the processing of their personal data.

Accountability: Employers must be able to demonstrate their compliance with GDPR principles, including by adopting certain 'data protection by design' measures such as policies, audits, protective measures and record keeping.

Consent: It will be very hard for employers to rely on consent as a condition of processing employee personal data. A general consent to processing clause in the employment contract, as is currently common, will not be sufficient. Prior to giving consent, employees must also be informed of the right to withdraw consent at any time.

Data Processors: The GDPR imposes direct statutory obligations on data processors, which means they will be subject to direct enforcement by supervisory authorities, fines, and compensation claims by data subjects. It also expands the mandatory terms which must be included in processing contracts.

Data breach: Data controllers will be required to report personal data breaches to the Information Commissioner’s Officer (and in some cases, the data subjects) as well as maintain a breach register.

Rights of Data Subjects: These are enhanced and will include a right to be forgotten (erasure), to request data be 'ported' in machine readable form, and to object to processing for specific purposes. The £10 fee for subject access requests has been removed and organisations will now have only one month to respond such requests. 

Profiling: There will be strict regulation of data which is automatically processed and which is used to evaluate individuals, such as their performance at work or location.

Penalties for Breach: Depending on the type of breach, a fine of up to €20million or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is greater, may be levied. This is significantly higher than the current maximum of £500,000 for serious breaches. In addition, there may be liability to the individual in damages for loss caused.

4. What should I be doing to prepare my organisation?

Awareness: Make key people aware of the changes and plan to ensure your organisation has the appropriate governance, budget and resources in place.

Audit: Begin with an audit and record:

  • What personal data it holds? Does it hold any special category of data?
  • Where is it from and where is it sent?
  • Why is it processed? For what purpose?
  • How is the processing lawful and fair? Which of the fair processing conditions is met? Have you provided individuals with details about the processing of their data, including reference to the rights they have?

Review Lawful Basis for Processing Data: Identify the instances of processing where you rely on consent. In particular, review existing consent mechanisms to ensure employees are offered a genuine choice. Can you still rely on consent? If not look for an alternative lawful basis for that instance of processing, such as whether it is necessary for the performance of the employment contract, for compliance with a legal obligation or for the pursuit of legitimate interests.

Review Consent Forms: Where consent is still required, such as when obtaining occupational health reports, obtain separate consents outside of the contract of employment, which include the additional information required under the GDPR.

Review Contracts of Employment: Ensure any data protection provisions to remain included in employment contracts are clear, specific and plainly worded.

Review Data Protection Policies: Ensure that data protection includes all of the information that is now required under the GDPR, including the information about the collection and use of personal data; the systems in place for dealing with compliance and detecting and dealing with data breaches; clear rules and guidelines about how an individual's rights will be complied with; and when and how international transfer of data take place.

Provide Training: Ensure that relevant staff is trained to deal with subject access requests, data erasure requests, objections to processing etc.

Review Processes and Procedures: Devise a process for identifying, recording and notifying breaches and responding to subject access requests, data erasure requests, objections to processing etc.

Review International Data Transfers: Review any international data transfers and ensure appropriate transfer mechanisms are in place.

Review Supplier Contracts: Ensure contracts with third parties are GDPR-compliant. 

5. How can Steptoe help organisations’ HR teams prepare?

We can review and/or draft:

  • Consent statements used to collect personal and sensitive personal information
  • Policies relating to: privacy, data protection, document retention, data security, data breach, subject access requests, ‘bring-your-own-device,’ social media, and CCTV
  • Employment contracts and clauses
  • Suites of template documents relating to data subject requests for access; erasure; rectification; restriction of processing; data portability etc.
  • Privacy Impact Assessment templates

We can also provide tailored training sessions to staff that will be responsible for GDPR compliance.

Please call Nic Hart to discuss how we can best assist your organisation with data protection compliance and help you ensure that your HR team and wider business is GDPR ready.