Thank you for contacting us.
We will get back to you as soon as possible.
GDPR: the clock is ticking!
25th May is fast approaching and GDPR will then really be here!
Employers have been losing sleep over this new legislation but maybe they have been overreacting. Yes, the law is changing but in an evolutionary rather than revolutionary way. The key principles of the current Data Protection Act 1998 will remain. Employers will need to deal with data “lawfully, fairly and transparently”; they must not hold excessive data and should only use it for the intended purpose. They also need to check accuracy and not hold the information for longer than needed. As has always been the case, information must be kept safe and secure.
So what is actually new? Well, it’s a case of altered emphasis more than brand new concepts.
Employers must be ultra clear and specific about the data that they hold, for what purpose it is held and the lawful basis upon which they will deal with the information. It is no longer sufficient to make generalised, all-inclusive statements about data processing. And this applies to the obtaining of consent as well; general provisions in employment contracts providing blanket consent for all data processing will not work anymore.
Furthermore, employers will be more accountable under GDPR for their use of personal data; they must have thought through the grounds for lawful processing and have good “data governance” in place. And they must be able to demonstrate GDPR compliance through full and detailed record keeping. A significant new provision is that employers must self report breaches and even notify data subjects where there has been a GDPR breach in certain circumstances.
The other major change is around sanctions and this is what has been hitting the headlines. Under the current regime, the big complaint has been that the ICO has lacked enforcement “teeth”. Well, under GDPR the fines will be significantly higher; up to 4% of global turnover or £80m, whichever is higher. Employers who have been blasé about data processing in the past will need to modify their behaviours.
For advice on Employment law issues, please contact Richard Gvero.
Please note the contents of this blog are given for information only and must not be relied upon. Legal advice should always be sought in relation to specific circumstances.