How GDPR will affect your business?
GDPR - four apparently innocent letters, however they are destined to be a significant challenge for any business that handles any form of personal data. Failure to comply with these regulations could lead to a potential fine of £17 million, so it is critical that all businesses, whatever their size, understand how the GDPR regulations will affect them and start taking steps now, to ensure that they have the processes in place in order to comply with the new regulations. Read more [lInk to landing page/Article]
What does the GDPR mean?
GDPR stands for the General Data Protection Regulations and these were introduced by the European Parliament on 15th December 2015 and comes into effect across the EU on 25th May 2018. The regulations are designed to harmonise the use of personal data across all member states. In the UK, the GDPR regulations will replace the Data Protection Act 1988. Even though the UK will be coming out of the European Union, these regulations will still apply so don’t think it will not affect you.
Why has it been introduced?
The emergence of the digital economy and the increasing use of social media, both by individuals and businesses, has resulted in an avalanche of personal data and information which is commonly collected and exchanged between companies. As an example, Facebook and Google openly exchange personal data across their various service platforms.
The new regulations update definitions of personal data to reflect modern lifestyles, changes in technology and the way in which organisations, companies and businesses collect and store information. They also provide individuals with more control and rights on how their personal data is collected, stored and used.
What does it mean for your business?
Although there are specific rules, which apply to businesses which employ more than 250 employees, small businesses, which employ staff below this number, will be subject to the new regulations, if they process data which is likely to result in a risk to the rights and freedoms of data subjects. It is important to note that ‘data subjects are not just customers but also employees and ex-employees’.
You should not underestimate the impact of the new regulations as the definition of ‘personal data’ is wide and relates to any information which can ‘identify’ an individual. This can include data which identifies an IP address and location information. Something as simple as a work email address may fall into this category.
The regulations include the concept of ‘technology neutral’ data, which extends the definition of data, not only to data held electronically but also to “personal data which forms part of a filing system or are intended to form part of a filing system”. So will include any data held on paper, stored in filing cabinets, contact lists on phones etc.
For HR data, the situation is complex as there is a lot of information from multiple sources and often the data is captured or circulated informally. In many cases the data is sensitive, particularly when dealing with information such as medical information, criminal records, race etc.
To understand how the GDPR will have an impact on your business as far as HR data is concerned, it is important for you to understand what you use your HR data for and why you need it.
In broad terms, to comply with the GDPR, you will need to start looking at what data you collect and store to ensure that you:
- Only collect the data that they need
- Ensure all data is secure
- Delete data no longer required
- Have written data management policies in place, ensuring all employees are aware of their respective obligations
The regulations authorise the collection, storage and processing of data either on the ground of ‘legitimate interest’ or ‘informed consent’. In both cases you will need to have mechanisms in place which informs individuals why you need to collect the data, how it will be used and have a clear process which allows individuals to ‘opt out’.
The issue of “consent” where it validates the use of personal data, has had a significant development under the GDPR. Where you are relying on ‘informed consent’, you will need to secure the express positive consent from the individual before you can collect, store and process their personal data. In addition to this, you will need to detail how you will be using this information.
This will have far reaching implications for businesses, particularly when seeking consent to obtain a medical report.
Individuals will have more rights under the new regulations: The right to be informed; the right to access; the right to rectification of incorrect data; erasure (i.e. the right to be forgotten); the right to restrict processing their data; data portability; the right to object to the processing of data and automated decision making and profiling. You will need to consider how you will be able to comply with these rights if the individual requests it.
What do you need to do now?
In broad terms, you should consider:
- Appointing a Data Controller to be personally responsible for GDPR compliance;
- Conducting an audit to identify what data is being collected, stored and processed and why.
- Prepare and action plan to ensure that your business has everything in place to be compliant by May 2018.
- Determine what information is required to discharge your burden of proof that data is being collected, stored and processed under the ‘legitimate interests’ rules.
- Identify what information, if any, will be handled under the more onerous rules applying to the requirements of ‘informed consent.
Over the next few months, we will be breaking down in bite size chunks how to address HR data under the GDPR.