General Data Protection Regulations – GDPR
The General Data Protection Regulations (GDPR) are the biggest upset to data protection since the Data Protection Act of 1998.
One of the important things to note is that the sanctions for non-compliance have increased from the current maximum level of £500,000, which most people or businesses would think was pretty hefty anyway, to a staggering €20,000,000 (around £17m) or 4% of a business’s annual worldwide turnover, whichever is higher. There are also criminal sanctions for holding data incorrectly or breaching the data protection rules. Then add to this the fact that individuals can now claim compensation for loss caused by breaches or inappropriate use of data. They can also claim compensation for distress caused by a breach – injury to feelings.
The General Data Protection Regulations are a huge work of legislation which covers a raft of areas where data needs to be protected, from online marketing to a ‘right to be forgotten’ or to be purged from data held. It affects relationships between customers, suppliers, website users and those on marketing lists.
The new legislation comes into force on 25 May and all businesses must be ready by then. Perhaps I should say that although this is EU legislation it will not be affected by Brexit as there is a Bill going through parliament to mirror the EU legislation.
Obviously, we are concerned with how the General Data Protection Regulations affect employers and employees and any arrangements that HR need to make to ensure compliance. As employers you will hold a range of information covered by the regulations including, information about health, pensions, payroll, loans, CCTV images, emails, disciplinary and grievance processes. You may also be holding data about previous jobs, references, qualifications etc.
You may also hold data about other people – next of kin, information on employee’s children their names and birthdays.
There may well be very legitimate reasons for holding data – it would, for instance, be impossible to pay someone without holding certain data, but the new legislation makes it clear that you have to have a reason for holding data, you have to have positive consent to hold it and you must not hold it for longer than necessary.
Previously we have added a simple clause to contracts so that an employee, is giving consent to data being held, this is no longer to be considered a safe method of obtaining consent. Now employees need to offer ‘informed consent’ which is freely given, unambiguous and specific to each area of data being held. But that is not all, we must also allow consent to be removed at any time.
Previously employees could make a subject access request in order to see what information is being held, this request had a cost of £10 attached and employers had 40 days to comply. That £10 cost has been removed and employers must comply as soon as possible, but no longer that 30 days.
But complying with the request may not be a simple as you would expect, you cannot simply send a copy of the personnel file – imagine that you have been sent an email from an employee apologizing for being late as they had to pick up little Johnny as he was sent home from school with head lice. You now have data about Johnny, which you might pass to a business partner, line manager and HR – could you find all of those emails if you needed to? Consider how much more difficult it might be if the emails were on personal smart phones.
This small article is simply designed to raise awareness about the new GDPR legislation, it is not designed to make you compliant with the Regulations.
Premier Legal is holding seminars and webinars about the GDPR and can provide a GDPR for Employees policy for your business, we can advise on the changes that you need to make to your contracts of employment to ensure that they are compliant and help you with your GDPR Audit.
You can find more information about the GDPR at the Information Commissioners Office, by clicking here.
Please call Premier Legal LLP on 0845 070 0505 or at our Nottingham Head Office on 0115 988 6211 where someone can help you with any queries that you may have. Alternatively please send your query to firstname.lastname@example.org and will get back to you as soon as possible.