The General Data Protection Regulation (GDPR) is due to be implemented on 25 May 2018. The UK’s decision to leave the EU by the end of April 2019 does not mean that impending EU legislation will not be implemented by the UK.
The GDPR will replace the existing EU Data Protection Directive on which the Data Protection Act 1998 is based and is directly applicable in each member state. The benefit of this is that, without national interference the data protection rules for all EU member states will be the same, and therefore, it should mean that compliance with the rules is easier to adhere to.
What you need to know:
Whilst the underlying concepts and principles of the GDPR are the same as those under the current EU data protection legislation; there are some new concepts introduced and several key changes which you will need to prepare for by May 2018. Those changes include:
- Extending the scope of the data protection regulations to businesses outside the EU who operate within the EU;
- Enhancing and tightening the rules on consent;
- Enhancing the rights of Data Subjects and introducing new concepts such as the ‘right to be forgotten’ and the right to request data transfer to a third party (data portability);
- New reporting requirements for breaches of the Data Protection legislation;
- The introduction of the concept of Privacy by Design and the need to include data protection in your plans, policies and procedures from the outset;
- The requirement for Privacy Impact Assessments to be produced in high-risk situations;
- The introduction of tougher sanctions for breaches of the Data Protection legislation;
- The introduction of a requirement for Data Protection Officers to be appointed in public authorities and organisations conducting high-risk activities.
Whilst the above key changes are by no means the full extent of the changes introduced by the GDPR, they are a snapshot of some of the most important changes that your business needs to be aware of.
For most UK businesses, the change likely to have the biggest impact is that relating to consent. Under the GDPR consent must be informed and must be given by affirmative action. Silence, pre-ticked boxes and/or inactivity will not be sufficient. Furthermore, these provisions will apply to data acquired prior to the GDPR coming into place as well as data to be acquired after April 2019.
One key effect of this will be the need for businesses to review the data which they currently hold to determine what consent, if any, they have in respect of that data. Where any consent has not been fully informed or expressly given, the business will need to consider deleting that data or contacting the data subject to get express informed consent that is unless one of the other lawful processing conditions applies. The impact of this on such things as marketing databases could be significant.
If you want to read further information about GDPR then take look at the Information Commissioner’s overview here.
If you would like help reviewing the HR impact of these changes in your organisation, please do give us a call. We provide outsourced HR support that has a really positive impact on your business and can provide the HR support and advice that you need. Call us on 01473 360160 to discuss how we can support you.