General Data Protection Regulation

THS HR Recognised as an Investor of People
July 11, 2017
Changes to the National Living Wage and Pensions – How will this affect you?
April 6, 2018

General Data Protection Regulation

General Data Protection Regulation: May 25th 2018
Get Familiar with GDPR
  • Train and inform employees;
  • Data should be a high priority for your business along with keeping up to date with developments, policies, procedures etc.;
  • Prepare a security framework and an emergency preparedness plan which outlines clearly how personal data is to be handled and secured, and what employees should do if there is a breach;
  • Review and update your privacy policies;
  • Review your data consent processes in preparation for GDPR;

At the heart of the General Data Protection Regulation (GDPR) is a change in focus from regulating high risk data processing activities to improving data security in more routine matters. The GDPR aims to bring about a culture shift and HR’s role in this will be key.
Employers will need to review how they collect, hold and process personal data, as well as how they communicate with individuals about that activity.

The most significant change as far as employers are concerned is the increased sanctions. Breaches of the GDPR may be subject to fines of up to €20M, or 4% of global annual turnover, whichever is the greater, and staying compliant is likely to lead to additional costs and administration.

Recruitment processes, performance management and bonus allocation, disciplinary and grievance procedures and policies, and any auto-processing, or use of employee data for marketing purposes, will need to reflect the new data protection meaures and principles. The regulation emanates from the European Union (EU) and is the biggest change to data protection law in over 20 years. Its aim is to expand, modernise and harmonise data protection laws across the EU and usher in the concept of data protection by design and default. It applies not only to organisations inside the EU but also to those outside providing goods or services, or monitoring browsing behaviour, within Member States. It applies directly to all EU states, including the UK, from 25 May 2018 and comes into effect with a hard landing – there is no transition period and no excuse for non-compliance from day one.

The UK government has committed to implementing the GDPR irrespective of Brexit and has a new Data Protection Bill currently progressing through Parliament which will amend the UK’s existing Data Protection Act 1998 (DPA) in line with the new rules and introduce additional changes. This will now be the Data Protection Act 2018.

There are also greater transparency obligations. Organisations must provide more information on what data they hold and what they do with that data, both for those inside the organisation, such as employees, and those outside it, such as customers or clients. Running parallel with this is a new emphasis on accountability, and this is not just a tick-box exercise. Organisations must be able to demonstrate their compliance to regulators – in the UK’s case, the Information Commissioner’s Office (ICO) – on an ongoing basis and to maintain records, and individuals will have significantly increased rights to access their personal data. Because the GDPR requires data protection and privacy by design and default, organisations need to build appropriate privacy requirements into their day-to-day operations and notify the ICO, and any individuals affected, if certain types of data breach occur

Read more on: