You have unlikely escaped the General Data Protection Regulations (GDPR) which will take effect on 25 May 2018. We look at what this means for businesses and employers.
Currently, the UK relies on the Data Protection Act 1998, which was enacted following the 1995 EU Data Protection Directive. Some of the new regulations mirror those found under this Act, but as of May this year, all will be superseded by the new legislation. GDPR aims to introduce tougher fines for non-compliance and breaches and gives people more say over what companies can do with their data. It also makes data protection rules more or less identical throughout the EU.
Under Article 5 of the regulations it requires that personal data shall be:
Article 5(2) of the regulations requires that the controller should be responsible for, and be able to demonstrate compliance with the principles. So, in short, what does that all mean for you?
As a business, you must have a lawful basis in order to process personal data. Article 6 of the regulations sets out the lawful basis for processing data. At least one of these must apply whenever you process personal data. The lawful bases for processing data are:
You must determine the lawful basis (or base) before you begin processing and should document it, as well as the purposes for processing. Privacy notes should be updated in compliance with the new regulations.
A business needs to determine the lawful basis (or base) before starting to process personal data. This is incredibly important as there is a requirement to get it right the first time.
Consent, contract and legitimate interests are likely to be the main basis upon which an organisation is likely to identify as a lawful basis (or base) and where the processing of such data is necessary.
There are tighter restrictions when processing special category data (previously referred to as sensitive personal data under the Data Protection Act 1998). A business will need to have identified a specific condition for processing special category data under Article 9 as well as the obligation under Article 6 i.e. the lawful basis for your processing the data.
Special category data includes information about an individual’s:
You should also be aware that the regulations provide the following rights for individuals:
Sanctions can be imposed for non-compliance and range from a warning, regular periodic data protection audits and fines (the level of which is dependant upon the infringement).
The regulations are detailed and businesses are advised to read the Guide to the General Data Protection Regulations well in advance of May 2018 so that, as a business, you can take the necessary steps to make sure that you are compliant from 25 May 2018.
If like many businesses you are finding the GDPR difficult to understand or implement, you are advised to seek legal advice. For a free initial telephone consultation, please contact our Employment Department – our team of expert solicitors will be able to assist. Call on 01708 229444 or email us using our contact form.This article was written by Alexander Pearce, Employment Law Associate at Pinney Talfourd LLP Solicitors. The contents of this article are for the purposes of general awareness only. They do not purport to constitute legal or professional advice. Specific legal advice should be taken on each individual matter. This article is based on the law as of February 2018.