The General Data Protection Regulation (GDPR) - What is it? What is required and how do you get prepared? Are your people, processes and systems ready to comply?
The GDPR will replace the Data Protection Act (DPA) with effect from 25th May 2018 and will place higher compliance burdens on employers than ever before by providing additional protection for individuals’ data.
The GDPR will impose some important changes on the operation of UK data protection law. If your organisation is already subject to the DPA, it is likely that it will also be subject to the GDPR.
Some of the most important changes include:
- Increased fines for non-compliance - Under the DPA, organisations can be fined up to £500k. However, the GDPR will allow fines of up to €20m (£18m) or 4% of the organisation’s worldwide turnover. Therefore, more frequent and higher fines are predicted.
- Strengthening of the ‘right to be forgotten’ - The case for an individual to have their personal data deleted will be stronger, with individuals able to request the deletion/removal of personal data where there is no compelling reason for it to be retained. Under the DPA the right to request deletion is limited to data which causes damage or distress.
- The banning of pre-ticked opt-in boxes - The prohibition of implied consents for the retention and use of personal data means that individuals must proactively choose to allow their personal data to be retained. Organisations must also ensure that where consent is given, it can be easily withdrawn.
- Data Protection Officers (DPOs) and Data Impact Assessments (DIAs) - Organisations must, if necessary, appoint a DPO and undertake DIAs, for instance where there is regular monitoring of individuals. The role of a DPO can either be in house or outsourced.
- Significant changes to Subject Access Requests (SARs) - With effect from 25th May 2018, individuals will no longer need to pay a fee when making a SAR (unless that SAR is ‘manifestly unfounded or excessive’) and employers will now have less time to provide the information requested. Furthermore, employers must also take steps to verify the identity of the person making the SAR.
All of the above changes place additional requirements on employers and we have already fielded a number of calls from clients with concerns about how they can prepare for the GDPR coming into law. We have provided the following three top tips in preparing your organisation for the GDPR:
- Awareness – You should ensure that the key people in your organisation are aware that the law is changing as they will need to appreciate the impact this is likely to have. Attwells can provide in house training to your key staff on the GDPR.
- Communicating Privacy Information – You should review your current privacy notices and put a plan in place for making any necessary changes in time for the GDPR. Attwells can review and amend your current notices or provide you with all new notices so as to ensure that you are compliant with the GDPR.
- Data Protection Policies – You should ensure that all relevant policies are updated so as to be GDPR compliant, circulated to staff and incorporated into a staff handbook. Attwells can draft Data Protection Policies ensuring that customer, supplier and employee data is obtained, held and processed in accordance with the GDPR.