GDPR: What employers need to know

The EU’s General Data Protection Regulation (GDPR) will come into force on 25 May 2018, bringing about a number of significant changes in how organisations process, manage and store personal data. The UK will still be a member of the EU, so British employers need to be prepared for the impact of the GDPR, despite Brexit.

What is the GDPR?

The GDPR is a major update to the EU’s existing data protection rules, designed to reflect some of the defining trends of recent years such as globalisation and accelerating growth in digital technology. Its intention is to strengthen and unify data protection for individuals within the EU.

In addition to EU-based companies, it will apply to any company processing the personal data of EU citizens in relation to the delivery of goods or services or behaviour monitoring.

What it means for employers

The GDPR will enforce a number of changes that employers – specifically HR departments – will need to be aware of when processing and handling employee data.

Among these is the concept of ‘data protection by design’, which requires employers to make data protection risks a key part of the process of designing and operating policies, processes, products and services. The GDPR also mandates ‘data protection by default’, which states that only the personal data required for each specific purpose should be collected and processed.

Another concept that falls under the umbrella of the GDPR is consent. Questions have been raised about the idea of employers processing personal data based on employee consent, given the imbalance of power in the employer/employee relationship. When the GDPR takes effect, organisations will have to comply with stricter requirements to ensure that consent is “freely given, informed, specific and explicit”.

As far as providing information for members of staff and job applicants is concerned, the new regulations will require employers to go into much more detail. From 25 May 2018, information that organisations will have to provide will include:

• The identity and contact details of the employer (the data controller).
• Contact details for the data protection officer, if the company has one.
• The recipients of the data.
• How long the data will be stored for.
• The rights of the individual employee or applicant, including rights to access, rectify and request erasure of data.

Another key element of the GDPR is a requirement for companies to issue notifications of data breaches within 72 hours of becoming aware of them.

Regarding compliance, there will be much stricter penalties for those organisations that don’t adhere to the new rules. Fines could be as high as €20 million (currently £17.7 million) or four per cent of total worldwide annual turnover, whichever is higher, so being ready to comply is extremely important.

Getting ready

A recent report from cybersecurity firm Kaspersky Lab showed that only half (50 per cent) of businesses feel prepared for GDPR. The company said it is “hugely concerning” that half of the companies surveyed don’t feel ready for the regulatory change, considering “just how important it is”.

Speaking at a roundtable hosted by Kaspersky Lab, Sue Daley, head of cloud, data, analytics and artificial intelligence at techUK, said firms providing training on this topic need to look for ways to make it “real” for their staff. She added: “The first step is to talk about it and get people to understand what it means.”

At the same event, Caroline Hinton, head of HR at radio production company Somethin’ Else, said companies should view GDPR compliance not as a “tick-box exercise”, but something that is specifically designed and made relevant for certain roles and departments.

The British Chambers of Commerce outlined some key steps businesses should be taking now, which include:

• Documenting the personal data the company holds, where it came from and who it is shared with.
• Reviewing current privacy notices and planning for changes required before the implementation deadline.
• Checking procedures to guarantee individual rights outlined under the GDPR, such as the deletion of personal data and the electronic provision of data.
• Determining whether the organisation requires a data protection officer.

BCC executive director David Riches urged businesses to “be proactive” in complying with the GDPR in order to avoid financial penalties and public scrutiny. He also reassured those firms that are already vigilant about their data protection responsibilities that they “won’t be unduly burdened by the new legislation”.