1. What is the General Data Protection Regulation?
This is the new governing legislation for collecting and processing personal data in the EU.
2. When will it come into force?
Very soon – in fact it comes into effect on 25 May 2018 for all EU Member States, including the UK. The standards will apply after Brexit.
The government has also published the Data Protection Bill which will supplement the GDPR and will replace the old Data Protection Act 1998.
3. What does the GDPR apply to?
The GDPR applies to ‘personal data’ - this means any information which relates to someone who can be identified.
4. Do I really need to worry about it?
Whilst many of the principles that are already familiar under the Data Protection Act 1998 will remain the same, the GDPR has new requirements which will impact on the issue of consent and compliance.
5. I am just a small firm and so do not need to worry about it?
Unfortunately, not – all employers will have to comply, regardless of their size if you process personal data.
6. Can I not just rely on the usual clauses in employment contracts regarding consent?
This is all going to become a lot more complicated – the GDPR will restrict the use of consent as a justification for processing data. This is going to make life more difficult as the GDPR states that consent must be freely given, specific, informed and unambiguous.
General clauses in employment contracts trying to state that consent is given will no longer be a valid legal basis to justify processing employee data. We will provide a further update on the issue of consent.
7. What else might I have to change?
Currently, employers are required to provide employees and job applicants with a privacy notice setting out certain information. Under the GDPR, employers will have to provide more detailed information. We will provide a further update with more details on the changes to privacy notices and changes to subject access requests.
8. If there is a breach relating to data, presumably I will have to report it once this has been fully investigated?
No – the GDPR will impose a new mandatory breach reporting requirement and you will have to notify any possible breaches within 72 hours, whether the investigation is complete or not.
9. Will there be fines?
There is the potential for significant penalties to be imposed – up to €20 million or 4% of annual worldwide turnover, whichever is the greater.
10. As long as I comply with the new regulation, if there is a deliberate breach by an employee the company will surely be ok?
No – in a recent case involving Morrisons, they were held to be vicariously
liable for the actions of a disgruntled employee who leaked the details of 100,000 employees. The case is under appeal but if the appeal fails, Morrisons could be at risk of a significant fine.
11. I have heard something about a right to be forgotten. What does this mean?
Basically, this means that an individual can request for their data to be
removed or deleted when there is no compelling reason for a business to continue processing that information. This has been watered down a little and in the GDPR legislation, it has been termed as the ‘right to erasure’.
This right will apply in certain circumstances:
- when the data is longer necessary or relevant;
- when the individual specifically withdraws consent to processing personal data has been unlawfully processed in breach of the GDPR; and
- the data must be erased in order for a controller to comply with legal obligations.
If any of the above conditions applies under this right of erasure, it is the data controller’s responsibility to delete and remove the data. This should be done without any unreasonable delay but definitely within a month unless specific circumstances apply.
It is worth noting that this right is not absolute and it is not unlimited either.