General Data Protection Regulation – what must employers do

19 January 2018

On 25 May 2018, the General Data Protection Regulation (GDPR) was introduced by Member States across the European Union (EU). Despite Brexit, the Government has confirmed the GDPR will be introduced in the UK by the Data Protection Bill.

The GDPR’s purpose is to ensure a common set of rules apply across the EU regarding data protection.    

Do we need to comply with GDPR?

All employers need to comply with the GDPR irrespective of size as they will be 'processing' personal data relating to their employees, workers or contractors. Personal data is any data from which the individual can be identified – for example their name, date of birth, bank account details and their medical records. Organisations will be 'processing' if they collect, store, disclose, use or erase personal data.

Organisations who fail to comply are liable to fines of up to €20 million or 4 per cent of annual global turnover, whichever is the greater. Organisations are also liable to claims for financial compensation from Individuals who have suffered distress as a result of an organisation’s failure to comply with the GDPR (for example, because of a data breach, as was the case in Various Claimants v Morrisons which we reported on last month).

What is changing?

In addition to the increased fines mentioned above, some of the key changes are:

  • organisations must be able to demonstrate how they are complying by documenting their data protection practices;
  • consent to process personal data must be freely given and there must be a right to withdraw consent. The imbalance of power between employer and employee means that employers will rarely be able to rely on consent for processing workforce personal data and must rely on one of the other lawful reasons;
  • any data breaches must be reported to the Information Commissioner’s Office within 72 hours;
  • there will be no charge for a Data Subject Access Request and organisations will need to respond within a month of receiving a request; and
  • some organisations will need to appoint a Data Protection Officer and have a legal requirement to keep records of processing activities.

What do we need to do?

Key steps organisations need to take are:

  • audit the personal data currently processed concerning employees, workers and contractors. Identify what data is collected, why it is collected, what is done with it, with whom that data is shared and for how long the data is held;
  • privacy statements should be introduced or updated explaining what personal data is processed, what the processing activities are and the lawful reason for processing;
  • consider appointing a data protection officer or at the very least appointing someone who is responsible for data protection compliance across the organisation;
  • ensure training is introduced at inductions and annually so that the workforce understands the importance of data security, how to spot a data breach and the person they need to inform if they do spot one; and
  • data protection policies will also need updating.

To keep up-to-date with the latest insights and events, please click here

Related services

Beyond the balance sheet: helping you bring governance into focus