The GDPR will introduce changes to the way that data is processed across the EU. As part of this, employers are likely to have to find an alternative to consent to process personal data and the regulators will be able to impose significantly higher fines than under existing provisions – up to €20 million or 4% of an organisation’s annual worldwide turnover, whichever is greater.
Jo Stubbs, Head of Content at XpertHR Group, says: “The new GDPR means employers need to rethink how personal data is collected, used and kept.
“With just over six months to go employers need to understand the implications of the new regulation and ensure they are compliant in time.”
Ten things employers need to know about the GDPR:
1. GDPR affects small employers too – The GDPR will apply to organisations of all sizes, but not all organisations will be treated the same. Those that are not processing large amounts of data and are not involved in high risk processing won’t be expected to commit as many resources to GDPR compliance.
2. Employees have the right of access to data – The Data Protection Act 1998 already gives employees the right to make a subject access request in relation to their personal data, but under the GDPR these rights will be extended.
3. Organisations need good reason to process personal data – The GDPR specifies the conditions under which it is ok to process data and organisations need to be sure that at least one applies. While having “consent” is one, the employer/employee relationship means it could be tricky to prove that consent has been freely given, so it is advisable to have at least one other.
4. The GDPR will impact on the recruitment process – The GDPR will bring new protections for potential employees and, with it, new responsibilities for recruiters. For example, employers will need to formalise the reasons why data is processed and the period for which it will be retained, and provide this information to applicants.
5. Individuals have the right to be forgotten – The GDPR sets down the rights of individuals to ask that their personal data be erased.
6. Criminal records checks – Under the GDPR, employers would be allowed to carry out criminal records checks on prospective employees only if this is specifically authorised by law, for example where a Disclosure and Barring Service check is required for a role involving work with vulnerable adults or children. However, this is an area where the GDPR allows governments to set their own rules to some extent – and, under the proposed new UK data protection law, employers will be able to carry out criminal records checks in more circumstances, so this is an area to watch for developments.
7. Organisations may need to appoint a data protection officer – Where an organisation is a public body, its core activities involve large-scale data processing requiring regular monitoring of individuals, or it carries out large-scale processing of sensitive personal data or data relating to criminal convictions, it will need to appoint a data protection officer.
8. Data transfer outside the EEA will be controlled – If an organisation transfers personal data outside the European Economic Area (EEA), it will need to ensure that adequate protection is provided.
9. Organisations will need to provide an “information notice” – A key requirement of the GDPR is that employees are informed about the processing of personal data and this must be formalised in an information notice (aka a “privacy” or “fair processing” notice). The information provided needs to be significantly more detailed than that provided under the Data Protection Act 1998.
10. Non-compliance could be very costly – Compliance with the GDPR is not something to be taken lightly, with fines as high as €20 million or 4% of the organisation’s global turnover – whichever is greater – for breaches.
Jo Stubbs adds, “It’s important employers take a realistic, risk-based approach to compliance. With the deadline looming, employers should be focusing on the most important and riskiest areas first.”