What is the GDPR?
New Regulations from Europe, which adapt, expand on and replace the existing Data Protection Act 1998. The Regulations come into force on 25 May 2018.
Why do I need to be aware of the GDPR?
The Regulations apply to all organisations that control and/or process personal data. Employers will hold personal data about employees, and may process and control data from clients too. The GDPR may affect your contractual relationships and social media platforms.
Failure to comply with the requirements of the GDPR can result in fines of up to 20 million euros, or 4% of annual turnover of a business, whichever is greater.
What do the GDPR require?
In a very brief summary of the main points:
- To ensure internal processes, accurate record keeping and procedures for gathering, handling, using, sending, storing and disposing of data, including international data transfers are compliant with the new regulations and data protection principles.
- Undertaking privacy impact assessments.
- All organisations are now required to report their own breaches of the GDPR to the Information Commissioner’s Office and the individuals concerned.
- Consent to process or use data must be clear, unambiguous, freely given and outside of existing terms and conditions.
- New rules apply for processing of children’s personal data.
- You may be required to nominate a specific Data Protection Officer, if you are a public authority, carry out large scale monitoring of individuals, or process special categories of data such as health records or criminal convictions.
Why has the GDPR been introduced?
In an increasingly digital world, more data is gathered on us than ever. We post personal information over social media. Internet providers track our usage and our preferences. We are filmed on CCTV, and our location tracked via our mobile devices. Companies use our information for marketing purposes. Health providers often hold sensitive personal information about us in medical records. Our data can travel across jurisdictions with little oversight. Organisations and individuals are vulnerable to crime and exploitation when data is hacked, lost or used for unauthorised purposes.
The GDPR is an update on the existing Data Protection Act 1998, and broader in scope to cover new ways in which our data is used and gathered.
Do the GDPR apply given that we are leaving the EU?
The GDPR will become UK law effective on 25 May 2018, before the UK exits the EU. The UK based Information Commissioner’s Office will be able to directly enforce the regulations against businesses from that date.
How can I prepare?
Make sure you prepare now.
Contact the Spearing Waite Employment Team and Commercial Team to seek bespoke advice on the impact of the GDPR on your employees and business.
Let us know if you would be interested in:
- Attending our seminar on GDPR and HR on 14 November 2017; and/or
- Reviewing of your data compliance policies and practices.