At the heart of the General Data Protection Regulation (GDPR) is a change in focus from regulating high risk data processing activities to improving data security in more routine matters. The GDPR aims to bring about a culture shift and HR’s role in this will be key.
Employers will need to review how they collect, hold and process personal data, as well as how they communicate with individuals about that activity.
The most significant change as far as employers are concerned is the increased sanctions. Breaches of the GDPR may be subject to fines of up to €20M, or 4% of global annual turnover, whichever is the greater, and staying compliant is likely to lead to additional costs and administration.
Recruitment processes, performance management and bonus allocation, disciplinary and grievance procedures and policies, and any auto-processing, or use of employee data for marketing purposes, will need to reflect the new data protection meaures and principles. The regulation emanates from the European Union (EU) and is the biggest change to data protection law in over 20 years. Its aim is to expand, modernise and harmonise data protection laws across the EU and usher in the concept of data protection by design and default. It applies not only to organisations inside the EU but also to those outside providing goods or services, or monitoring browsing behaviour, within Member States. It applies directly to all EU states, including the UK, from 25 May 2018 and comes into effect with a hard landing – there is no transition period and no excuse for non-compliance from day one.
The UK government has committed to implementing the GDPR irrespective of Brexit and has a new Data Protection Bill currently progressing through Parliament which will amend the UK’s existing Data Protection Act 1998 (DPA) in line with the new rules and introduce additional changes. This will now be the Data Protection Act 2018.
There are also greater transparency obligations. Organisations must provide more information on what data they hold and what they do with that data, both for those inside the organisation, such as employees, and those outside it, such as customers or clients. Running parallel with this is a new emphasis on accountability, and this is not just a tick-box exercise. Organisations must be able to demonstrate their compliance to regulators – in the UK’s case, the Information Commissioner’s Office (ICO) – on an ongoing basis and to maintain records, and individuals will have significantly increased rights to access their personal data. Because the GDPR requires data protection and privacy by design and default, organisations need to build appropriate privacy requirements into their day-to-day operations and notify the ICO, and any individuals affected, if certain types of data breach occur
Read more on: