General Data Protection Regulation (GDPR): an employer’s guide

Despite Brexit, the UK will implement the General Data Protection Regulation (GDPR) when it comes into force on 25 May 2018. Sarah Thompson discusses significant changes employers need to be aware of – including a new penalty regime – and next steps for HR.

The GDPR harmonises data protection laws across the EU and updates the current 20-year-old regime to take account of globalisation and the ever-changing technology landscape.

It will apply not only to EU companies, but to any company processing the personal data of individuals in the EU in relation to offering goods or services, or to monitoring their behaviour.

Significant penalties can be imposed on employers that breach the GDPR, including fines of up to €20 million or 4% of annual worldwide turnover, whichever is greater.

The level of fine will depend on the type of breach and any mitigating factors, but they are undoubtedly meant to penalise any employer’s disregard for the GDPR.

Employers should prepare for the following changes to avoid being subject to the new enforcement penalties.

More detailed privacy notices

Under the current law, employers are required to provide employees and job applicants with a privacy notice setting out certain information. Under the GDPR, employers will need to provide more detailed information, such as:

• how long data will be stored for;
• if data will be transferred to other countries;
• information on the right to make a subject access request; and
• information on the right to have personal data deleted or rectified in certain instances.

Restrictions to consent

Currently, many employers justify processing personal data on the basis of employee consent. This approach has been increasingly criticised because there is doubt as to whether or not consent is given freely in the subordinate employer-employee relationship.

There are more prescriptive requirements for obtaining consent under the GDPR and employees must be able to withdraw their consent at any time. This will make it harder for employers to rely on consent to justify processing. Instead, employers will generally need to rely on one of the other legal grounds to process personal data.

New breach notification requirement

The GDPR imposes a new mandatory breach reporting requirement. Where there has been a data breach (such as an accidental or unlawful loss, or disclosure of personal data), the employer will have to notify and provide certain information to the data protection authority within 72 hours. Where the breach poses a high risk to the rights and freedoms of the individuals, those individuals will also have to be notified.

Data protection officers

All public authorities and those private companies involved in regular monitoring or large-scale processing of sensitive data will need to appoint a data protection officer to:

• advise on GDPR obligations;
• monitor compliance; and
• liaise with the data protection authority.

How to prepare now

Co-operation and understanding of the new GDPR obligations across the business is critical and organisations will need HR, legal, IT and compliance teams to take a combined approach.

The most important steps for HR to take now include:

• Carry out a data audit. Carefully assess current HR data and related processing activities and identify any gaps with the GDPR.
• Review current privacy notices and update them to comply with the more detailed information requirements. All information provided must be easy for employees and job applicants to understand.
• Assess the legal grounds for processing personal data. Where consent is currently relied on, check whether or not it meets GDPR requirements and remember that consent may be revoked at any time. Employers will generally need to rely on one of the other legal grounds to continue to process employee personal data.
• Develop a data breach response programme to ensure prompt notification. Allocate responsibility to certain people to investigate and contain a breach, and make a report. Train employees to recognise and address data breaches, and put appropriate policies and procedures in place.
• Determine whether or not a data protection officer must be appointed and, if so, think about how best to recruit, train and resource one.