The General Data Protection Regulation (GDPR) will be enforceable in the UK from May 2018, updating the way businesses must handle personal data, including what they hold on employees. How is this going to affect HR professionals? HR magazine visited a data protection masterclass hosted by Ashfords to find out.
1) It is an update of previous legislation
The Data Protection Directive (DPD) was an EU directive introduced in 1995. Chris Coughlan, head of data protection and privacy at Ashfords, said this was in need of a refresh. “In 1995 Google had not even been incorporated yet,” he said. “It’s a different time now than it was 20 years ago, and the regulations needed to be reformed.”
A key change from the DPD is an increased scope on who the GDPR applies to. If you are established in the EEA (or the firm processing your data is), you offer your services to residents of the EEA, or you monitor the behaviour of those in the EEA then the rules will apply to you.
2) You may need a DPO (data protection officer) in your team
If you are a public authority, carry out large-scale systematic monitoring of individuals, or carry out large-scale processing of special categories of data or data relating to criminal convictions and offences then you will need to welcome a DPO to your team.
“The DPO needs to report to the board, and they are a protected employee so they cannot be dismissed just because a senior manager doesn’t like what they are saying,” Coughlan explained. “Also, there are certain rules about who can and cannot be a DPO. You cannot, for example, give the role to the CEO as that will create a conflict with their commercial ambition.”
3) The penalties for non-compliance will be considerably harsher
Under the old system the maximum fine for a breach was £500,000. However, the GDPR will increase the amount under a two-tier structure. Less serious incidents could result in a maximum fine of either €10 million (£7.9 million) or 2% of an organisation's global turnover, whichever is greater. The most serious offences have a new maximum fine of up to €20 million (£17.9 million) or 4% of turnover, whichever is greater.
“The consequences of getting this wrong are now extremely significant,” Coughlan said. “But reporting any breach immediately could make things better for you in the long run than if you failed to report it and it was discovered at a later date.”
4) It will still apply after Brexit
The GDPR is a European Directive, so Brexit throws up the question of whether it will still apply.
Secretary of state for culture, media and sport Karen Bradley said it will. “We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public,” she said.
UK information commissioner, Elizabeth Denham agreed. “I acknowledge that there may still be questions about how the GDPR would work in the UK leaving the EU but this should not distract from the important task of compliance with GDPR by 2018,” she said. “ We’ll be working with government to stay at the centre of these conversations about the long-term future of UK data protection law and to provide our advice and counsel where appropriate.”
5) You should act now
Take steps now to be ready for when this is implemented in May, advised Coughlan. “It’s important to give someone ownership of this,” he said. “Start to try to streamline the data you have – if you find you have data you don’t need just delete it. Start mapping how data flows through your organisation."
He added that businesses should not assume they will not be affected by the changes. “Some firms have said they want to ‘wait and see’ what happens,” he said. “But that could be risky, as we know [Denham] has investigated many types of business, including small firms and charities, in the past.”