The EU’s General Data Protection Regulation (“GDPR”) comes into force in the UK on 25 May 2018 and will make substantial changes to our data protection law.
As May approaches, GDPR is being increasingly talked about, and there are more and more GDPR consultants and training courses appearing by the day. But what does your business really need to do to get ready for GDPR, and what might happen if you don’t?
Although the GDPR builds on many of the existing data protection principles we are used to, it takes these much further:
- expanding the definitions of personal data, “special categories of personal data” (currently known as sensitive personal data) and “processing”, so that more data and virtually all activities relating to data will be “caught” by the new regime;
- extending data subjects’/individuals’ rights in relation to their personal data;
- placing tighter restrictions on data controllers and processors; and
- dramatically increasing the sanctions imposed for getting it wrong.
The GDPR introduces both enhanced and entirely new rights for individuals, including:
- an enhanced right to be informed, under which you must also inform an individual of your legal basis and purposes for processing their personal data;
- an enhanced “right of access” (formerly referred to as subject access rights/requests), under which you must disclose more information to an individual than before, in a reduced timescale and (usually) without charging;
- a new “right to be forgotten”; and
- a new right to data portability.
Data controllers’/employers’ obligations
The GDPR also introduces broader, more prescriptive obligations for employers.
To lawfully process personal data, data controllers/employers must comply with wider data protection principles, including acting with “transparency”, limiting any processing to what is “necessary” and demonstrating compliance with the GDPR at every stage.
The lawful bases for processing personal data are now more restricted.
For example, it will now be even more difficult for an employer to rely on an employee’s consent to process their personal data, as the GDPR assumes that consent will rarely/never be freely given in an employment context.
It will also be harder for an employer to rely on their “legitimate interests” to process data, as any processing on that basis must now also be “necessary” and should not prejudice the employee’s rights. Going forwards, before relying on “legitimate interests”, an employer will have to carefully consider (and document):
- what their legitimate interest is;
- whether the processing is necessary (it won’t be if it can be achieved in a less intrusive way); and
- the right of the employee- would they expect the processing, and does it cause unjustified harm?
“Special categories of personal data” cannot be processed unless one of the exemptions applies, for example:
- The data subject has given “explicit consent”- which may be very difficult to obtain; or
- The processing is “necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment”;
- it complies with “appropriate safeguards for the fundamental rights and interests of the data subject” put in place by the relevant EU member state.
The UK Data Protection Bill, which is still being debated and amended by Parliament, confirms that the “safeguards” for processing employees’ “special categories of personal data” are:
- the processing is “necessary…”; and
- the data controller (i.e. the employer) has “an appropriate policy document” in place when the processing takes place.
The policy must explain how it will comply with the data protection principles and its policies for the retention, including how long the employee data is likely to be retained.
The Bill further obliges a data controller to keep the policy document under review and updated, and to make it available to the Information Commissioner on request.
This obligation continues for the “relevant period”, which starts when the processing first begins and ends 6 months after the processing is complete.
The Bill also contains the additional “safeguard” that the data controller must maintain a record of the “special categories of personal data” it has processed.
- Employers also have a new duty to report any breaches of the GDPR to the ICO “without undue delay” or within 72 hours of becoming aware of the breach, and they are also required to keep a register of data breaches.
What if it all goes wrong….?
As mentioned above, employers must self-report if they breach the GDPR (subject to limited exceptions).
Once they have done so, they may face a variety of types of enforcement action, including a potential fine of up to the greater of 20 million euros or 4% of their global annual turnover. Under the current Data Protection Act, the maximum fine is £500,000. Any potential fine will therefore increase eight-fold.
Directors and shareholders may also be liable under the GDPR, and individuals may commit criminal offences, including altering personal data to prevent disclosure of this to an individual under a subject access request. So don’t do that!
What does this mean for you or your business?
Whatever the nature of your business, you will process personal data in order to run it, even if it is only receiving someone’s email address.
To avoid falling foul of the GDPR (and the impending new Data Protection Act) and the associated criminal and financial penalties, you must take your enhanced data protection obligations seriously.
What should you be doing now?
To be ready for GDPR by May 2018, you need to begin compliance now.
A good starting point is to conduct a full data audit, considering what personal data you process, why and how you process that data, whether this processing is likely to be lawful post-GDPR, how you store the data, and how long the data is to retained………etc. BPE’s GDPR team would be happy to assist with this.
You should also review your current procedures and record-keeping and consider if these need changing. For example, do you have procedures for dealing with right of access or breach reporting? How will you provide the required information to your employees? What records will you need to keep going forwards?
From an employment perspective, your key focus should be to update your existing Data Protection policy, if you have one, and to get one if not, as you will need this in order to process employees’ special categories of personal data.
There are, of course, wide-ranging implications for other areas of your business, which are beyond the scope of this note, including ensuring your commercial contracts are compliant, auditing your IT systems and databases and reviewing your marketing activities. BPE’s GDPR team would be happy to provide separate legal advice on these areas.
These notes have been prepared for the purpose of articles only. They should not be regarded as a substitute for taking legal advice.