Are you GDPR ready?

Although the General Data Protection Regulation comes into force on 25 May 2018, businesses should really look at their processes and procedures now, because the GDPR will create a major shift in how all organisations handle personal data.

At the moment, employers can justify processing employee data on the basis of consent in the contract of employment. The GDPR will set out more strict conditions regarding consent;

• it must be freely given
• specific
• informed and unambiguous

In future, the onus will be on the employer to show that the employee gave adequate consent which will require at the very least a review of the existing wording of employment contracts.

Any loss of personal data, whether by accident or by hacking will have to be notified to the data protection authority promptly along with the individuals themselves if the breach poses a significant risk to their rights and freedoms. Businesses should ensure they have a data breach response plan in place and train their employees accordingly.

The company data protection policy will also need to be reviewed in good time; all that’s needed at the moment is a privacy notice or “fair processing notice” that sets out the purposes for which data is processed. In future employers will have to provide more information such as:

• how long the data will be stored for
• if that data will be transferred to other countries
• information on the right to make a subject access request
• the right to have personal data deleted or rectified

amongst others.

The most significant change however will be that employees will have increased rights to object to certain processing, to have data corrected or restrict how data is used, and to be forgotten  by having their data deleted.  These rights could become an additional tool in employment disputes. In the right circumstances, an employee could use these rights to cause difficulties with an on-going disciplinary process.

Ultimately the best course of action is to get good legal advice and to ensure documentary records are in place and there are clear lines of responsibility. As always if you need help or advice on this topic, give us a call.