The General Data Protection Regulation (GDPR) is due to come into force in the UK on Friday 25 May 2018. If an organisation is found to be in breach of the GDPR after this date, it could face a fine of up to 4% of its annual turnover, or €20m (£17.8m), whichever is greater.
Organisations need to review their data processes to ensure that they comply with the requirements of the GDPR. Whether you are unsure about where to start with your GDPR preparation, or are further down the line with your compliance efforts, we can help you.
Below are a list of policies that you should consider updating to be GDPR-compliant.
Data protection policy
Register of HR-related personal data
Employee privacy notice
Job applicant privacy notice
Form for making a subject access request
Letter responding to subject access request providing requested information
Letter responding to data subject access request asking for more information
Letter extending time to respond to a subject access request
Letter refusing subject access request or asking for an administrative fee
Register of subject access requests
Will the General Data Protection Regulation (GDPR) also affect smaller employers?
Yes. The General Data Protection Regulation (GDPR) will apply to organisations of all sizes. The reason for this is that, even where an organisation employs only a few people, it could be processing a large amount of data in the course of its business and the consequences of non-compliance with the GDPR could be significant.
The GDPR requires organisations to take measures that are appropriate, taking into account the nature, scope, context and purposes of processing, as well as the likely risks to the rights and freedoms of individuals. Further, supervisory authorities are required to ensure that any fines are effective, proportionate and dissuasive.
Therefore, it is less likely that the supervisory authority will focus its attention on organisations that do not process a large amount of personal data and are not involved in higher risk processing. Further, those organisations would not be expected to commit as many resources to GDPR compliance as higher risk organisations would.
There is a limited exemption for organisations with fewer than 250 employees in relation to record-keeping requirements, but employers should be aware that this is only a narrow exemption and that the other requirements and principles of the GDPR apply regardless of the organisation’s size. Further, organisations with fewer than 250 employees must still retain a record of their processing activity if the processing:
is likely to result in a risk to the rights and freedoms of data subjects;
is not “occasional”;
includes special categories of data (ie sensitive personal data); or
includes personal data relating to criminal convictions and offences.
It is therefore unlikely that small employers would be able to rely on the exemption, as most employers will process special categories of data relating to their employees.
Conducting an HR personal data audit is a significant stage for organisations in developing a compliance programme for the General Data Protection Regulation (2016/679 EU) (GDPR) and the Data Protection Bill. The aim of the HR data audit is to identify all categories of personal data processed by or on behalf of the employer for HR purposes and to gather relevant information on each data category. This will enable employers to identify any compliance gaps between their data processing practices and GDPR requirements. A comprehensive audit will also assist employers to comply with their accountability and record-keeping obligations under the GDPR, and to locate and access personal data in response to requests relating to data subject rights.
GDPR will come into effect on 25 May 2018.
Looking for a full comprehensive HR audit that will identify if you have the correct contracts, policies, and procedures in place? .
You can contact us by filling out the secure contact form, or send us an email [email protected] or call us on 01243 607357.