The General Data Protection Regulation
In the biggest shake up of data protection law for a generation, the new GDPR legislation comes into force in May 2018. With businesses facing potential fines of up to €20 million for non compliance, is your business ready?
Last October, the Information Commissioner’s Office (“ICO”), an independent regulatory body, fined TalkTalk £400,000. The ICO concluded that the company had failed to take basic steps to protect customers' personal information and in doing so, breached fundamental data protection principles.
The GDPR comes into force on May 25 2018. Its purpose is to protect personal data and harmonise data protection throughout the European Union. One of the most radical and wide ranging reforms of data protection law ever, it replaces the Data Protection Act 1998. The government has already confirmed that despite Brexit, the GDPR will still be brought into legislation.
The Data Protection Act focussed on paper records and data stored on central servers. In 1998 not everyone had access to the Internet so the risks associated with cyber security were barely considered.
With data now being held in multiple places including mobile devices, data centres and the Cloud, this Act is no longer fit for purpose.
Who does GDPR apply to?
The GDPR will apply to all those who hold or process personal data. That includes any employer who holds personal information on an employee e.g. their name, address, date of birth, bank details and so on.
Accountability is at the heart of GDPR and businesses will need to demonstrate compliance to avoid fines and potentially compensation for any person who has suffered damage as a result of a breach.
Employers must ensure employees consent to their data being held
The ICO have published detailed guidance on this area but the important principle to remember is that consent should be freely given, specific, informed and unambiguous.
Under no circumstances can consent be inferred by silence, pre-ticked boxes or inactivity.
At the moment, most businesses rely upon gathering consent by including a clause in their employment contracts to say the employee consents to their data being held.
This will no longer be sufficient. The GDPR imposes strict conditions on data controllers, including;
- Businesses must be able to demonstrate that the employee has consented to the processing of their data
- The consent must be in clear and plain language and not buried as small print in another document
- The employee has the right to withdraw consent at any time
If you have data handling policies in place already these will need to be reviewed and almost certainly updated. Businesses should seek legal advice.
We can help you with this and please get in touch if you would like to discuss what steps you need to take to comply.
Note: This article is intended as a guide only and reflects our understanding of the law, which is new, is subject to amendment and should not be relied on as legal advice.