GDPR – What is it and are you ready?
The implementation date of the EU General Data Protection Regulations (GDPR) is fixed for Friday 25th May 2018. All business organisations should be aware of their obligations and the steps they should take to prepare for the new regime.
The GDPR heralds one of the greatest changes in Data Protection Law in the UK for almost two decades, bringing with it a greater focus on individual rights and much greater financial penalties and stricter reporting timelines in the event of a data breach.
To comply with GDPR, organisations should consider what data is collected and why. Should this data be considered “personal data” (i.e. any information relating to an identified or identifiable natural person), it will fall under the ambit of the GDPR. Businesses should consider their policies and procedures in respect of the collation and processing of personal data as well as ensuring that they maintain appropriate protection within relationships where personal data is shared with another entity i.e. for the purposes of processing payroll.
Employers in particular must consider the basis on which they obtain and process employee information, how the information is then stored and then ultimately destroyed. At all points, the “data controller” must consider the purpose for gathering the information and maintain the integrity of the data. All data controllers must be aware of the access rights held by the “data subject” and ensure that sufficient steps are taken to advise the data subject of those rights. The GDPR also places designated duties upon the “data processor” therefore such organisations must also be aware of the remit of the GDPR.
As an initial step towards preparing for the forthcoming GDPR, organisations should conduct a “data audit”. In addition, Employers are also encouraged to review their contracts of employment to ensure that the legal purpose and basis of data collation is adequately documented, as well as reviewing any data protection procedures and policies contained within their staff manuals. However, documentation is only one step, employers should also consider appropriate staff training to ensure that all members of staff are adequately equipped to deal with any data access requests given the reforms to the previous “subject access request rights”, as well as how the organisation intends to protect the personal data it may collate, process and store.