Is compliance with the new EU data protection regime on your radar?
It’s not due to come into force until 25 May 2018, but businesses are being urged to start preparing for the General Data Protection Regulation (GDPR) this year in order to ensure compliance and minimise exposure to significant fines.
As the GDPR imposes far greater restrictions on the use of consent as justification for the processing of personal data, including employee personal data, employers will need to audit the personal employee data they collect and process in order to ensure that it meets the relevant conditions. In brief, these are as follows:
- Consent must be informed, specific, unambiguous and given freely.
- Consent must be given via a statement or clear affirmative action.
- If consent is provided via a written declaration, the employee must be able to clearly distinguish the corresponding request from other matters and it must be easily comprehensible.
- Consent will not be deemed to have been given freely if obtaining it was presented as a condition of the formation of a contract, but where such consent was not actually necessary for performance of the contract.
This means employment contracts that incorporate generic consents will not provide a valid legal basis on which to justify the processing of personal employee data. Accordingly, employers will need to be able to call upon a valid alternative justification for this purpose (e.g. where such processing is necessary for the performance of the contract), although it would certainly be preferable to obtain consent that meets the above conditions.
Additionally, fresh record-keeping and governance obligations mean that a further requirement of GDPR compliance will be for employers to produce or update their policies and processes as they relate to privacy notices, subject access requests and data breach responses.
Although the GDPR only applies directly to all EU member states, its introduction will predate the UK exiting the EU and therefore businesses that are not compliant by the implementation date will be at risk of fines of up to €20 million (£17m), or 4% of their annual worldwide turnover if this is higher.
In anticipation of implementation, we have partnered with Employee Management Ltd, a major provider of Human Resources, employment law and health & safety services, in order to assist employers in complying with their obligations under the GDPR. They can provide employers with the necessary amendments to employment contracts and originate the fresh policy documents required. Meanwhile, Smarter Technologies Ltd can undertake a preliminary audit/fact finding exercise in respect of personal employee data policies and procedures with a view to uncovering any potential exposure and putting measures in place to reduce any exposure identified.
If you are an employer concerned about compliance with your obligations as they relate to the GDPR, please do not hesitate to contact us or Employee Management Ltd in confidence and without obligation for an initial discussion.