If you’re anything like us, the four letters GDPR quite possibly fill you with dread, confusion and fear all at the same time. It’s easy to panic when you hear about potential €20m fines for non-compliance and data breaches.
Fed up with finding sketchy, piecemeal advice on this new UK legislation, we decided to interpret the legal speak and produce the straightforward guide to the GDPR that every business owner and HR professional is crying out for.
What follows is a high level summary of your organisation’s responsibilities under the GDPR. If you require more granular detail, we’ve produced a comprehensive support document for you to download for free from our website.
What is the GDPR?
The General Data Protection Regulation will become UK law on 25th May 2018. It will replace all data protection legislation in EU member states, including the UK’s Data Protection Act 1998. GDPR applies to all organisations that control or process personal data.
What is personal data?
Personal data is any electronic or hardcopy information relating to a living person that could be used to identify them, e.g. your name, email address, personnel records and health information.
What’s new?
*NEW* The right to access your personal data
A key change under the GDPR allows individuals to access any personal data organisations hold about them. The new regulation gives an individual the right to request that their data be amended, deleted, or that the organisation stop processing their information altogether.
*NEW* Using third parties
If your organisation uses third party suppliers to process personal data on your behalf, you must have a written contract in place with that supplier outlining both organisations’ obligations under the GDPR. Contracts must also be in place with every other party who processes personal data on your behalf, such as payroll bureaus, recruitment agencies and occupational health providers.
What’s changed?
Processing data
Organisations must have a valid (lawful) basis for processing personal data. Circumstances where consent is not necessary, but still deemed lawful, include providing a quotation, compliance with legal obligations, and carrying out tasks in the public interest. For a full list of these, please refer to our GDPR guide.
Consent
In the absence of any other valid basis for processing personal data, the individual must have freely given their consent for an organisation to do so. Opt-in forms must be clear and easy to understand and not pre-populated by the organisation, i.e. the opt-in checkbox must not be ticked as default.
Special category data
The GDPR imposes more stringent rules around the processing of Special Category data, which includes:
- Health information
- Political opinions
- Religious beliefs
- Racial or ethnic origin
There are also new regulations around processing data relating to criminal convictions, such as DBS checks during recruitment.
Procedures and privacyAll organisations must document their procedures for collecting and processing personal data. A Data Protection Impact Assessment (DPIA) must be completed, particularly when introducing new procedures for processing data.
If you collect personal data directly from an individual, such as a job application or via an electronic form, a clear, written data privacy policy must be provided at the time of collection. Your data privacy policy should set out: what data you collect, how it is processed and stored, how long you will keep the data for, if any third parties have access to the data, and how an individual can gain access to their own personal data.
Transferring data to other countries
The GDPR prevents the transfer of personal data to non-EU countries. There are exceptions to this rule, which are outlined in our downloadable GDPR guide.
Data breaches
If data is lost, sent to the wrong person, or accessed by an unauthorised person, this is a data breach. Organisations are obliged to report a data breach to the Information Commissioners Office within 72 hours of the incident occurring, unless the data controller does not believe that the breach poses any risk to an individual’s rights or freedoms. In this instance, the data controller must document the data breach in writing and keep this as evidence.
Data security
To prevent data breaches, organisations must take steps to ensure data security and provide employees with training to enable them to adhere to data protection policies. Training might cover data encryption, using strong passwords, restricting access to data, and how to deal with data security incidents. Regular tests and checks should be carried out to test employee knowledge and ensure data security procedures are sound.
Data Protection Officers (DPO)
The role of the DPO is to oversee data processing activity and ensure correct procedures are in place and adhered to. Public authorities, organisations that process special categories of data, or carry out large scale monitoring of individuals must appoint a DPO.
We hope our guide has provided clarity around your organisation’s obligations under the GDPR. If you require further support, please download a copy of our free guide, or speak to one of our team on 01942 727200. We’re here to share the pain!