Employers: What Should you be Doing to Prepare for the GDPR?

20/12/2016

The General Data Protection Regulation (“GDPR”) will apply to all EEA countries and companies that conduct business in them from 25 May 2018 and despite Brexit, the government has confirmed that the UK will implement GDPR. This article looks at the implication of GDPR for employers and what practical steps employers should be taking now in order to be prepared for May 2018.

Employers will collate, hold and process employees’ personal data on a daily basis, often unaware of the implications that data protection legislation has on that processing. With the impending application of GDPR, now is the perfect time for employers to review their processes to ensure compliance with the GDPR. After all, the risk of potential penalties for non-compliance of up to €20million or 4% of annual worldwide turnover, whichever is higher, should spur most boardrooms into action. 

What should you be doing to prepare?

  1. Employers should review and update their fair processing notices (a notice informing staff how they can expect their personal data to be handled and for what purposes) to reflect the additional requirements of GDPR. Employers must provide concise, transparent, intelligible and easily accessible information to their employees relating to how their personal data will be treated.
  2. Employers must inform employees that they have a right to object to the processing of their personal data. Consideration therefore needs to be given as to what format this information will be provided in and when. We recommend a separate document is used and this information is not included in employment contracts.
  3. Employers should ensure they have proper consent from employees and job applicants to process their data. Assumed consent is not accepted, their consent needs to be “freely given, specific, informed and unambiguous”. Consent must be given by a statement or through clear, affirmative action (e.g. ticking a tick box) to signify agreement to personal data being processed. In practice, employers will need to review their processes relating to recruitment, employment and post-employment to ensure compliance. For example, if payroll is outsourced, employers will need their employee’s consent to the transfer of the personal data to facilitate the outsourcing.
  4. Employees need to ensure their current privacy policies are up to date and relevant to the incoming GDPR. The GDPR contains a statutory requirement to have in place an appropriate data protection policy in relation to the processing activities being carried out (it may be appropriate to have a policy in place in relation to employees’ data and another public facing privacy policy in place in relation to customers’ data).
  5. Employees must have adequate procedures in place to detect, report and investigate personal data breaches. The GDPR will introduce a new mandatory requirement for data controllers to notify the relevant regulatory authority (the Information Commissioners Office (ICO) in the case of the UK) if data is lost, of personal data breaches or if personal data is subject to a cyber-attack and there is a risk to the individuals. The data controller must notify the regulatory authority within 72 hours and may also have to notify the employees in question.
  6. Ensure procedures are in place to delete data that is no longer needed e.g. because the employee is no longer employed. As part of this, Employers will need to ensure their IT system has the capability to permanently delete data with no traces being stored. The GDPR gives data subjects the right to have their personal data deleted without undue delay where the personal data are no longer necessary in relation to the purposes for which it was collected or otherwise processed.

How can we help?

We provide businesses with expert advice on their data protection obligations and how to protect data subjects’ personal information effectively.  If you have any concerns about your data protection responsibilities, or any other commercial issues in relation to your business, contact the experienced commercial solicitors at Herrington Carmichael for specialist advice.  

For further information or to discuss the issues raised by this article, please contact Matthew Lea on 01276 686222 or email corporate@herrington-carmichael.com.