For most businesses keeping HR records, customer lists or contact details is standard practice in line with the Data Protection Act. However, the Government has confirmed that the UK’s decision to leave the EU will not impact the commencement of the General Data Protection Regulation (GDPR) and under these new rulings the definition will be more expansive. So what will this new legal framework mean for business?
Will the GDPR apply to my company?
Yes. As from May 2018 the General Data Protection Regulation will apply to all organisations handling the personal data of EU citizens. Every business will need to be compliant with the new legislation or face harsh penalties.
What are the penalties for non-compliance?
Harsh fines will be imposed on employers that fail to comply to the new rulings, including fines of up to £20 million or 4% of annual worldwide turnover, whichever is the greater.
Your responsibilities for day-to-day data protection under the new laws:
Under the current law employers should provide employees with a privacy notice, setting out certain information. Under the GDPR, you will be required to provide more detailed information including:
- how long data will be stored for
- if that data will be transferred to other countries
- information on the right to make a subject access request; and
- information on the right to have personal data deleted or amended in certain circumstances
At the moment, many employers process personal data on the basis of employee consent. Under the GDPR there are further requirements and restrictions for obtaining consent and employees will be able to withdraw their consent at any time.
Mandatory data breach notification requirement
Where there has been a data breach (for example, accidental or unlawful loss, or disclosure of personal data), the employer must notify and provide certain information to the data protection authority within 72 hours. Where a breach may indicate risks to the rights and freedoms of those individuals, those individuals should be notified.
Data Protection Officers
All public authorities and those private companies involved in regular monitoring or processing of sensitive data on a large-scale will need to appoint a dedicated Data Protection Officer whose responsibilities will be to advise on GDPR obligations, monitor compliance and liaise with the data protection authority.
The PPS Action Plan ahead of GDPR
Here at Premier Placement Services we are actively working to become fully GDPR compliant. At all times we will ensure that our policies and procedures will abide by the GDPR’s key principle of accountability and will be fully transparent in how our agency processes data. In line with the new ruling, we will centralise our data management in order to fully maintain records of how we process all information.
For more information on the GDPR visit the ICO (Information Commissioner’s Office) website.