Despite the ongoing Brexit negotiations, the UK government has recently confirmed their plans to adopt the EU General Data Protection Regulation (GDPR) in May 2018. In addition to enhancing the current Data Protection Act 1998 (DPA), the GDPR contains several new requirements, many of which will have a significant impact on employers.
Step 1: Adopt a ‘privacy by design’ approach
Whilst it has long been good practice to ensure that privacy is embedded throughout any new product or processing model, the GDPR makes privacy by design an express legal requirement. Employers should begin to consider whether their current processes and procedures adopt a ‘privacy by design’ approach and if not, seek to implement this model as soon as possible in order to demonstrate compliance and offer a competitive advantage.
Step 2: Prepare for data security breaches
Employers must ensure that they have adequate procedures and systems in place to detect, report and investigate a data breach. This is especially important given that the GDPR introduces a new requirement that requires a data controller to notify the Information Commissioner’s Office (ICO) within 72 hours of discovery. Where a breach is likely to result in a high risk to the rights and freedoms of individuals, data controllers may also be required to directly inform those affected by the breach.
Step 3: Appoint a Data Protection Officer
Certain organisations are required to formally designate an individual to take responsibility for data protection compliance, in the role of a Data Protection Officer.
Those bound by this requirement are:
Even if an employer does not fall within one of these categories, it may be prudent that it appoint a Data Protection Officer or an external data protection advisor regardless.
Step 4: Review your current privacy notices
Organisations are already bound under the DPA to provide individuals with certain information when they collect their personal data; such as the identity of the organisation and how it intends to use their information. Under the GDPR, an employer will also have to advise individuals of the lawful basis for processing the data, the right of the individual to complain to the ICO, and their data retention periods. Current privacy notices should be updated in order to include the additional requirements of the GDPR and should be set out in a clear and concise manner.
Step 5: Consider the rights of data subjects
The rights that data subjects will enjoy under the GDPR are predominately the same as those under the DPA, with some enhancements.
If an employer stores personal data of individuals, it must consider and identify the legitimate grounds for its retention. The burden of proof will be upon the organisation to demonstrate the legitimate grounds for storing said data overrides the interests of the data subject.
Organisations will also have to consider how they will comply with the ‘right to be forgotten’ if the data subject requests it.
Step 6: Ensuring your consents are compliant
Employers are not required to automatically refresh or ‘repaper’ all existing DPA consents to ensure compliance with the GDPR. However, employers will need to make changes if the existing consents held were not explicitly given; for example, if they were granted by way of an individual’s silence, inactivity or a pre-ticked box. Under the GDPR, consent must be specific, informed and freely given. It must also be separate from other terms and conditions and requires a positive opt-in from the data subject.
Step 7: Update your Subject Access Requests
The GDPR introduces several new rules relating to Subject Access Requests. Organisations will not be able to charge for complying with a request, unless that request is manifestly unfounded or excessive. Further, all requests must be complied with within one month, as opposed to the current 40 days. If an organisation wishes to refuse a request, it must advise the individual of the reasons for doing so and inform them of their right to complain to the relevant authority.
Employers should seek legal advice when considering making amendments to their data protection policies and procedures in light of the incoming legislation.
Toni Fitzgerald Gunn is a Solicitor in Worthingtons Commercial Solicitors, Belfast, where she specialises in Employment Law and can be contacted on 028 90 434015.