What is happening?
The General Data Protection Regulation (GDPR) will come into force on 25 May 2018 throughout the EU and will replace the Data Protection Directive, which is implemented in the UK through the Data Protection Act 1998 (DPA).
The aim of the GDPR is to:
- Introduce greater harmonisation of data protection across the EU
- Provide a risk-based approach to compliance – businesses bear the responsibility for assessing the degree of risk that their processing activities pose to data subjects
- Be a “one-stop shop” for data protection across the EU
How is it different to the current DPA?
- Many core concepts under the DPA will remain unchanged. For example, the concepts of personal data, data controllers, and data processors are broadly similar in both the DPA and the GDPR.
- The GDPR will apply to “personal data”, meaning information that relates to an identifiable person. The definition is widening and, in the employment context, will include information in an employee’s personnel file, information held on HR systems, information contained in emails and information obtained through employee monitoring. Personal data will also include business contact information as well as genetic, cultural, economic and social information.
- The GDPR regulates the “processing” of personal data, including the collection, storage, use, alteration, disclosure and destruction of information. Organisations that initially collect personal data are “data controllers” and individuals to whom the data relates are “data subjects”.
- The GDPR will apply to the processing of personal data of individuals who are not just employees but will also include contractors and job applicants.
What does this mean for organisations?
Essentially it means a lot of work! All organisations will need to analyse their current processes with data, including employee, IT, marketing, client and supplier information. This is likely to result in changes to current practices and processes.
Loch Associates Group can audit your current data handling and make personalised recommendations to help ensure you are compliant.
What are the next steps?
- Understand that the EU General Data Protection Regulation (2016/679 EU) (GDPR) will have an important and significant impact and will change data protection law in the UK when it comes into force on 25 May 2018.
- Businesses that operate internationally will need to determine which data protection supervisory authority they fall under.
- Carry out a data audit and carefully assess current HR data along with data held on business contacts, clients and suppliers and related processing activities, identifying any areas that will be affected by the GDPR.
- Identify high risk areas for the business by auditing existing data processing activities across the organisation.
- Conduct an assessment of the legal grounds for processing personal data.
- Be aware of and change the way that businesses obtain, maintain and deal with the withdrawal of consent.
- Understand new obligations under the GDPR to provide information to employees and job applicants about the processing of their personal data.
- Review current privacy notices and update them to comply with the more detailed information requirements.
- Be aware of new record keeping obligations for employers to demonstrate compliance with the GDPR requirements.
- Ensure the right procedures are in place to detect, report and investigate a personal data breach.
- Ensure that decision makers, including the board and senior management understand the potential exposure to fines and other sanctions under the GDPR.
- Consider the appointment of a Data Protection Officer or an individual/team that are responsible for compliance under the GDPR.
- Agree an internal timescale for compliance
Please contact us for an initial audit service of your current data processes, followed by personal recommendations for your organisation to be compliant with the GDPR.
Loch Associates Group can help you understand the GDPR and your obligations as well as assess your compliance.
Call us on 01892 773970 or email us at email@example.com