HR MATTERS THE GDPR AND YOUR BUSINESS Gareth Edwards discusses the changes businesses will need to make on implementation of the GDPR in 2018. DATA protection law has recently been updated by Europe and will be in place in less than two years. The General Data Protection Regulation (GDPR) was finalised at the end of April 2016 after four years of discussion, disagreement and negotiation and will directly affect all member states from May 2018. But a question arises: now that we’re scheduled to leave the EU will the GDPR still matter? The answer is yes – it will. The Secretary of State for Culture, Media and Sport, Karen Bradley, before a House of Commons committee at the end of October 2016, formally stated: “We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR.” LARGE PENALTIES The view is that the GDPR is not a monster but it needs to be taken seriously. Changes will be required, and if the required changes are not made then firms risk considerable fines and reputational damage. Indeed, under the GDPR, those organisations that breach the law could face a fine of up to four percent of annual worldwide turnover or €20 million (whichever is the greater). This is markedly higher than the £500,000 that the Information Commissioner (ICO) can levy now. The present data protection regime, under the Data Protection Act 1998 (DPA), protects a person's rights in respect of their personal data and is built upon eight data protection principles. These require that personal data is processed fairly and lawfully; obtained and used for specified and lawful purposes only; adequate, relevant and not excessive in relation to their purposes; accurate and up-to-date; not kept for longer than is necessary; processed in accordance with the individual’s rights; kept secure; and not transferred outside of the EEA without adequate protection. Apart from these there are other points to note about the present law. The first is that there are extra obligations when handling sensitive personal data such as information about ethnic origin, sexual life, trade union membership etc. Further, individuals have a right via a Subject Access Request (SAR) to find out what information is held about them. NEW RIGHTS Rights of the individual: individuals have a right to know what is going to be done with their data, and who it is The GDPR confers new rights such as having inaccuracies corrected, to have information erased, to prevent direct marketing and a right to data portability (because of this firms will have to provide data electronically). going to be shared with. A website privacy notice can tell people about this. Under the GDPR there is additional information that must be provided: firms will need to tell data subjects – users – the legal basis for processing their data, the data retention period; and of their right to complain to the Information Commissioner. The GDPR confers new rights such as having inaccuracies corrected, to have information erased, to prevent direct marketing and a right to data portability (because of this firms will have to provide data electronically). Presently, firms have 40 days to respond to a subject access request (SAR) but under the GDPR this will drop down to a month. Refusing a request will require a firm to have appropriate policies and procedures in place. There will also be obligations to provide additional information such as data retention periods and the right to have inaccurate data corrected. CONSENT FOR DATA PROCESSING For many, the most challenging area under the DPA is that of ‘consent’ and consent to use personal data cannot be inferred from silence, pre-ticked boxes or inactivity. The GDPR requires that consent must be freely given, specific, informed and unambiguous. If a firm is going to rely upon ‘implicit consent’ then it must be ready to deal with a challenge as to how unambiguous the consent was. OTHER OBLIGATIONS There is presently no general obligation to report any data breaches, but the GDPR radically changes this and creates an obligation to report data protection breaches that could cause an individual harm within 72 hours. Firms should consider how they would deal with this new obligation. They should be asking: how secure are their systems? What training do staff have? Is personal data encrypted? What breaches might result in an obligation to report? How would the harm to individuals be mitigated? Do the procedures in place around data breaches allow these obligations to be met? One solution to compliance is obvious – appointing, a capable, interested person with the responsibility for ensuring that the obligations are met. The GDPR is a real and present threat to firms and organisations of all sizes and the financial consequences for ignoring the new rules are severe. However, those that plan and who choose to follow their obligations should have little to worry about. Gareth Edwards is a partner in the employment team at Veale Wasbrough Vizards. gedwards@vwv.co.uk. 60 <strong>March</strong> <strong>2017</strong> www.cicm.com The recognised standard
The recognised standard www.cicm.com <strong>March</strong> <strong>2017</strong> 61