The new data protection regime introduced by the EU General Data Protection Regulation (GDPR) took effect in the UK on 25 May 2018. In addition, on 23 May, the UK Data Protection Bill finished making its way through Parliament and became the Data Protection Act 2018.
While most companies had got to grips with the basic requirements of data protection law over the last 20 years (e.g. keeping data secure, restricting data retention periods, handling subject access requests, etc.), the GDPR has really upped the ante. Now that the new law has taken effect, read on for a reminder of the implications and information on EEF’s available resources to help you with compliance.
Increased obligations, higher penalties
The principles of the GDPR identifying how personal data should be handled and used are largely based on the previous law that we were all familiar with – for example, personal data should only be used fairly and lawfully and should not be kept for longer than necessary. However, the GDPR has also introduced various new obligations, such as the requirements to:
build in data protection “by design and default” – effectively, putting data protection considerations at the heart of your processes; and
“demonstrate” compliance – i.e. it’s not enough for a company to comply with the law, it must also be able to provide evidence of this.
The importance of compliance is underlined by the significant potential penalties for breach, including fines of up to 20,000,000 Euros or 4% of an organisation's global turnover, whichever is higher. The GDPR is enforced in the UK by the Information Commissioner’s Office (ICO).
Continuing the compliance journey
The GDPR regime is so onerous that most companies are unlikely to have achieved full compliance yet. The ICO has emphasised, however, that 25th March 2018 was “the start and not the end” for GDPR compliance and that companies must continue to build on their compliance going forwards.
For employers, this will include ensuring that they have in place certain essential documents relating to their employee data, such as:
privacy notices informing individuals how the company uses their personal data;
retention processes dealing with the company’s retention and deletion of individuals’ personal data;
data protection policies setting out how the company complies with its GDPR obligations and how it expects employees who handle personal data in their jobs to comply;
a record of processing activities detailing how the company uses personal data (this is an internal document but must be shown to the ICO on request); and
a Data Protection Impact Assessment (DPIA) template that they must use to assess data protection risks in certain circumstances going forwards.
How EEF can help
We have added new pages to the HR and Employment Law Resources section of our website offering detailed guidance on the GDPR and how to comply. To read this new content, click here.
EEF have also produced templates for HR for each of the essential documents mentioned above and have run a series of seminars on how to customise these for your organisation. If you have not attended a seminar but are interested in obtaining the template document pack, or if you would like to find out about how we can help you with bespoke HR consultancy advice on GDPR compliance, please email HREnquire@eef.org.uk.