GDPR: What Must Employers Do Now to Prepare?
We have recently reported that the Government has now confirmed that the UK will be implementing the General Data Protection Regulation (GDPR).
The GDPR is the new European Union legislation which will replace the EU Directive that underpins the Data Protection Act. The GDPR will apply across Europe with effect from May 2018 and the UK Government has now confirmed that it will come into UK law, notwithstanding the EU referendum vote.
Best Practice
The GDPR has a wide application. Employers should therefore ensure they are prepared for the GDPR and start considering any data protection issues now.
Prior to the implementation of the GDPR, employers will need to ensure their data handling practices are GDPR compliant. One of the areas of greatest change is the extent to which employers will be required to have a paper trail demonstrating GDPR compliance. This will include a requirement to:
- carry out a privacy impact assessment (PIA) before carrying out 'high risk' data processing activities. The GDPR anticipates that Member States will provide further information on the types of processing which will require a PIA but it is likely that activities such as large scale staff monitoring (eg, monitoring browsing habits or emails) will require a PIA.
- include additional information in staff privacy notices. For example, employers will need to tell staff about their right to make a complaint to the ICO (the data protection regulator) and also to inform staff about the legal basis which the employer is relying on when handling staff data.
- take additional steps when using data processors (e.g. payroll providers or cloud storage providers). For example, the GDPR will require additional clauses in written agreements and the employer will need to take additional steps to check that the data processor is complying with the data protection principles in practice.
Not only are the obligations on businesses becoming more onerous, but the sanctions for breaches of the GDPR are becoming more severe. For the most serious breaches, fines may be imposed of up to a maximum of €20 million or, in the case of businesses, 4% of global turnover, whichever is the highest amount.