All businesses that use personal data have until 25 May 2018 to comply with the new General Data Protection Regulation (GDPR) legislation. Non-compliance can lead to potential fines of up to €20 million or 4% of annual worldwide turnover, whichever is bigger (see Irwin Mitchell fine calculator
GDPR will impact the way that employee data is processed, and employers will need to familiarise themselves with the changes and take steps to ensure that their practices are GDPR compliant. Employer’s obligations have an immediate impact when the new rules apply in May 2018, so now is the time to start thinking about how to implement any changes.
What should you be doing now?
Ensure that key decision makers within your organisation are aware of introduction of the GDPR and its likely impact.
Designate someone to take responsibility for data protection compliance and reviewing where this sits within the organisation’s structure. Consider whether your organisation needs a Data Protection Officer.
Carry out a “data audit” to document the personal data the company holds; where it came from; where it is stored; who it is shared with; what it is used for etc. You will need to identify the lawful basis for your processing of employee data and/or sensitive personal data and whether this is GDPR compliant or whether new processes need to be put in place.
Review current policies, contractual provisions and privacy notices to ensure that they demonstrate the processing of employee data is compliant with GDPR. Ensure you use plain English and that if amendments are required, you allow sufficient timeframes before the GDPR deadline for implementation and staff training.
If you are relying on consent to process data, consider whether your documents are compliant, whether you can prove that consent is freely given, specific and informed and what you will do if that consent is subsequently withdrawn.
Prepare for data protection breaches by putting in place robust procedures so that you can react to any potential breach and notify regulators within the 72 hour limit.
Consider how you will deal with a request from an employee to delete their data (the right to be forgotten) and whether you have any grounds to refuse such a request under GDPR.
Ensure that your processes for dealing with any Subject Access Request are up to date within the new timescales and that you have provided sufficient information to employees about their rights.
How can we help?
We would be happy to discuss any questions or concerns that you might have regarding the introduction of the GDPR and to work with you to identify any specific areas of risk for your organisation.
Irwin Mitchell can carry out a critical evaluation of your current employment practices, policies and contractual clauses and provide advice on updating these to ensure compliance. We can also provide you with template audit documentation to help facilitate your internal audit process, and can supply GDPR-compliant standard or bespoke contractual clauses, policies and procedures.
This briefing is part of a series of updates that we plan on the GDPR. If you have any questions on this briefing or would like to discuss any aspect of the GDPR or data protection, privacy issues or any other employment law issues, please contact Jennifer Walton or your usual Irwin Mitchell advisor.
Published: 7 August 2017
Employment Law Update - August 2017
Sign up to receive our monthly employment law update
For general enquiries
0370 1500 100
Or we can call you back at a time of your choice
Request a call back
Phone lines are open 24/7, 365 days a year