General Data Protection Regulation - What’s all the change?
The new GDPR comes into force from 25th May 2018, replacing the Data Protection Act1998 and continues to provide a challenge for employers and others in determining what needs to be done.
Fundamentally the new Regulation puts the control of data back into the hands of the Data Subject – the individual who is the subject of ‘personal data’ or ‘sensitive data’ – and gives them enhanced rights. It also requires anyone holding and using this data – the Data Controller or Data Processor - to be much more accountable for and transparent about what they do with that data.
‘Personal data’ refers to data that can be used to identify who a person is, for example, their name and address, whilst ‘sensitive data’ relates to ‘special categories’ of data - such as trade union membership, religious beliefs, political opinions, racial information, and sexual orientation.
Data Controllers and Processors are required to record and maintain details of their activities using personal and sensitive data, and to justify their actions and decisions in relation to what they do with that data, as well as documenting and evidencing their decisions. Individuals will have easier access to data that companies hold about them, and there will be a new fines regime along with clear responsibility placed on organisations to obtain consent from those they collect information about.
Accountability, compliance and consent
The GDPR will require organisations to be more accountable for their handling of people's personal information.
The framework that will support achievement of this includes:
- Appointing a Data Protection Officer (DPO) or Data Protection Lead.
This is mandatory for most public authorities, companies that undertake "regular and systematic monitoring" of individuals on a large scale or who process a large amount of sensitive personal data. The identified DPT must report to senior management and their responsibilities include monitoring compliance with GDPR, providing advice to the organisation, providing training, undertaking internal audits and acting as a point of contact for employees and customers. DPOs must operate independently within the organisation and cannot be disciplined or dismissed for undertaking their role. They must have experience and knowledge of data protection and associated legislation.
- Having a clear policy and procedures in place for the management and processing of data
- Supporting a culture from the top of the organisation downwards of monitoring, reviewing and assessing data processing procedures, with the aim of minimising data processing and retention of data and building in safeguards to monitor and minimise opportunities for a data breach to occur
- Undertaking Data Protection Impact Assessments and audits to record, understand and show what steps have been taken to address specific concerns.
- Documenting data collection and processing activity
Organisations with more than 250 employees, need to put documentation in place that identifies why personal or sensitive data is being collected and processed, what information is being held and how long for and what security measures are in place.
- Implementing processes, where necessary, for gaining consent
In some cases, for example where data is held for marketing purposes, businesses will need to obtain consent from individuals to process their data and keep records to show that consent has been given. There must be a clear explanation given to individuals that they are giving consent and provide a "positive opt-in"; individuals must be able to easily withdraw their consent and this cannot be tied to any kind of contract; records must be kept to show that consent has been given.
Any information given about data privacy or consent has to be provided in user-friendly language, be concise and transparent and easy to access. It must also be available free of charge.
Taking the right approach
Data Protection specialists Bruce and Butler (2018) advocate a Privacy by Design approach to minimise the chances of a data breach:
- Data Protection Impact Assessments – the use of risk assessments to identify the risk of breach, the impact and likelihood of such a breach, and controls that need to be put in place to minimise risk.
- Data Minimisation – questioning why data is held and the necessity for it so that a minimalist approach is taken to data being held.
- Pseudonymisation – using data other than name to avoid identification when data is being processed, for example, payroll number or the allocation of a random number.
- Encryption – ensuring that data is encrypted when it is to be processed, for example information sent to an outsourced pensions or payroll provider.
- Restriction – restricting access to data on a need to know basis by the use of passwords
Individual rights
As well the new obligations placed on organisations about collecting personal data, the GDPR also gives individuals much greater power to access information held about them. At present businesses and public organisations can charge £10 for data to be released under a Subject Access Request (SAR), but this will no longer be allowable under GDPT.Information requested must be provided within one month and everyone will have the right to be given confirmation that an organisation is holding data about them, the right to access this information and any supplementary information.
Where data is automatically processed and used in decision making, individuals will "have the right not to be subject to a decision" where it is automatic and has a significant impact on them.
A further power to be given to individuals is the right to get their personal data removed in some but not all circumstances. This power includes, for example, where it is no longer necessary in relation to the purpose it was collected for, when consent is withdrawn, when there's no legitimate interest in that data being held, and where it was unlawfully processed.
GDPR fines
Under GDPR, the "destruction, loss, alteration, unauthorised disclosure of, or access to" people's data will need to be reported to the Information Commissioner’s Office within 72 hours of identifying that the breach has happened and that there is potential for this to have an impact on the individual, such as financial loss or damage to reputation.
Regulators will have the right to fine organisations that fail to comply - Fines can relate to:
- A data breach where highly important data is put at risk
In this case the data controller/processor will be fined up to €20m or 4% of the previous year’s global turnover, whichever is the highest
- Other data breaches
In other cases the fine is to be up to €10m or 2% of the previous year’s global turnover, whichever is the highest.
Businesses in breach of the regulations are also required to have clearly documented plans in place to recover the situation, an incident log, documentary evidence of having recognised, considered and addressed their critical legal obligations in relation to a personal data breach, including the remedial steps have taken following the breach.
What you need to do
Bruce and Butler (2018) have established a recommended approach to achieving compliance with GDPR:
Following these 3 steps can help set your business on the right path to meeting the requirements of GDPR.
Ask for further help and support in meeting your responsibilities under GDPR by contacting cHRysos HR or Bruce and Butler, Data Protection Specialists at info@bruceandbutler.com or Tel. 0114 3992641.
Share This Post
Posted In
cHRysos HR Solutions are a UK wide HR training and consultancy company offering CIPD accredited qualifications, Apprenticeships, Training and HR Services to SMEs. For more information about how cHRysos HR can help you or your teams successfully achieve further qualifications, contact us on info@chrysos.org.uk or call 03300 562443.