DATA CHANGES FOR EMPLOYERS
SNS Solicitors have no doubt that the Kent business community is prepared for the considerable changes to the handling of data that is to be introduced from 25 May 2018, however a gentle reminder to ensure that one is compliant could be helpful.
The European Union General Data Protection Regulation (GDPR) is being introduced despite Brexit. Even if the government had not decided to implement the regulations, UK firms doing business within the EU would still need to comply with the regulations as they affect organisations offering goods and services to EU citizens.
The Data Protection Act 1998 (DPA) defined data holders as either processors and controllers and the GDPR has similar definitions. Controllers must say how personal data is processed and also why it is processed whilst processors must maintain records of the processing carried out on the controller’s behalf.
So, a processor needs to keep records and a log must be kept of every call or email sent to a client or potential client. A controller must ensure that the processors are complying with GDPR.
The GDPR also insists that controllers and processors are accountable, and accountability will require businesses to be able to show that they have the systems, document storage, training and data processing in place to demonstrate that the system being operated is compliant.
A new difference between the DPA and the GDPR is its conception of personal data. This is going to have a significant impact on employers when faced with a data request from staff. Not only has the normal personal data to be considered but there is a much wider definition to include any genetic, cultural, economic, social and IP data and even material using a pseudonym if it can be particularied. Consent needs to be sought for the use of the data and silence can no longer be assumed to be consent. Members of the work force need to be asked permission to use the data and employers would be prudent to obtain a written consent for that use.
Employers will need to check their systems and consider how best to adapt them to conform with the new regulations. Any breaches of the regulations need to be self-reported within 72 hours of realisation and so having the right system in place before something goes wrong is essential. Data subjects have the right to be forgotten and the system must be able to cope to not include those individuals who wish to maintain their personal privacy. The reason this is so important is that fines of 20,000 euro or 4% of gross turn over can be levied against GDPR offenders.
If you need help please phone SNS Solicitors who can monitor your systems and check for compliance. Even if you do not need help we would advise that all controllers and processors, which includes all employers, should check and monitor their systems to ensure that they are fit for purpose.