Employers – Get Ready For GDPR

You have unlikely escaped the General Data Protection Regulations (GDPR) which will take effect on 25 May 2018. We look at what this means for businesses and employers.

Currently, the UK relies on the Data Protection Act 1998, which was enacted following the 1995 EU Data Protection Directive. Some of the new regulations mirror those found under this Act, but as of May this year, all will be superseded by the new legislation. GDPR aims to introduce tougher fines for non-compliance and breaches and gives people more say over what companies can do with their data. It also makes data protection rules more or less identical throughout the EU.

Under Article 5 of the regulations it requires that personal data shall be:

1. Processed lawfully, fairly and in a transparent manner in relation to individuals;
2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes: further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
4. Accurate and, where necessary, kept up to date: every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purpose to which they are processed, are erased or rectified without delay;
5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as personal data will be processed solely for archiving purposes in the public interest, scientific or any public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
6. Processed in a manner which ensures appropriate security of the personal data including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Article 5(2) of the regulations requires that the controller should be responsible for, and be able to demonstrate compliance with the principles. So, in short, what does that all mean for you?

As a business, you must have a lawful basis in order to process personal data. Article 6 of the regulations sets out the lawful basis for processing data.  At least one of these must apply whenever you process personal data. The lawful bases for processing data are:

• The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
• Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
• Processing is necessary for compliance with a legal obligation to which the controller is subject.
• Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
• Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
• Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

You must determine the lawful basis (or base) before you begin processing and should document it, as well as the purposes for processing. Privacy notes should be updated in compliance with the new regulations.

A business needs to determine the lawful basis (or base) before starting to process personal data.  This is incredibly important as there is a requirement to get it right the first time.

Consent, contract and legitimate interests are likely to be the main basis upon which an organisation is likely to identify as a lawful basis (or base) and where the processing of such data is necessary.

There are tighter restrictions when processing special category data (previously referred to as sensitive personal data under the Data Protection Act 1998). A business will need to have identified a specific condition for processing special category data under Article 9 as well as the obligation under Article 6 i.e. the lawful basis for your processing the data.

Special category data includes information about an individual’s:

• Race;
• Ethnic origin;
• Politics;
• Religion;
• Trade union membership;
• Biometrics; 
• Genetics;
• Health;
• Sex life; or
• Sexual orientation.

You should also be aware that the regulations provide the following rights for individuals:

• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• Rights in relation to automated decision making and profiling

Sanctions can be imposed for non-compliance and range from a warning, regular periodic data protection audits and fines (the level of which is dependant upon the infringement).

The regulations are detailed and businesses are advised to read the Guide to the General Data Protection Regulations well in advance of May 2018 so that, as a business, you can take the necessary steps to make sure that you are compliant from 25 May 2018.

MORE INFORMATION 

If like many businesses you are finding the GDPR difficult to understand or implement, you are advised to seek legal advice. For a free initial telephone consultation, please contact our Employment Department – our team of expert solicitors will be able to assist. Call on 01708 229444 or email us using our contact form.This article was written by Alexander Pearce, Employment Law Associate at Pinney Talfourd LLP Solicitors. The contents of this article are for the purposes of general awareness only. They do not purport to constitute legal or professional advice. Specific legal advice should be taken on each individual matter. This article is based on the law as of February 2018.