This legislation now becomes law in all member states without the need for domestic legislation. Fortunately, there is a two year period built into the Regulation to give organisations time to prepare to comply with the changes. This is good news, because many of the provisions will come as a shock to UK employers.
What are the headlines?
- Higher penalties – currently, the maximum UK penalty for a data protection breach is £500,000. The new maximum will be 20 million Euros, or 4% of an organisation’s worldwide turnover if higher.
- Consent – many employers rely on employee consent to the processing of data, often obtained via a clause in the employee’s contract of employment. In future, consent will have to be “freely given, informed, specific and explicit”. It is likely that a clause in the employment contract will not be sufficient in future. This means that employers will need to think carefully about the reasons that they are using to justify processing of employee data.
- Subject access requests will be easier for employees – employers will not be able to charge a fee for subject access requests, will have to respond within one month of receiving a request (rather than the current 40 days), and will have to provide more information than currently. Fortunately, employers will have a new right either to charge a “reasonable” fee, or to refuse to respond to the request at all, where the request is “manifestly unfounded or excessive”.
- Right to be forgotten – new rights will allow employees to require complete erasure of their data in certain circumstances.
- Notification of breaches – in most cases where breaches of data protection lead to unauthorised loss, amendment or disclosure of data, employers will be under a new obligation to notify the breach to the Information Commissioner’s Office within 72 hours of the breach. Leaving a laptop on a train may have greater financial consequences for the business than ever before.
What should employers do?
Employers should start planning as soon as possible so that they are ready to comply with the new rules from the summer of 2018. Steps include:
- Carrying out an audit of all personal data held about employees, where it is held, and who it is shared with.
- Reviewing the grounds used to justify data processing, including consent.
- Reviewing data protection policies.
- Appointing a Data Protection Officer, where appropriate.
Training staff on their new data protection responsibilities.
If you would like more information about how to prepare for the new legislation, or if you would like us to review your policy to ensure that it is compliant, please contact Louise Connacher by email at firstname.lastname@example.org or alternatively by phone on 0113 280 2108.