Warning: General Data Protection Regulation (GDPR) is coming

Peninsula Team

September 04 2017

Please note that this article is for information only. The Peninsula Group does not offer services for GDPR implementation and is unable to provide additional advice. Remember the date: 25th May 2018. Ignore it, and your business is at high risk of a fine of as much as either €20 million or 4% of your annual turnover. Why? Because the General Data Protection Regulation (GDPR) comes into effect, unifying the law across Europe. GDPR is new legislation to replace the UK Data Protection Act (DPA). It adds a huge amount of data responsibilities onto you, which any business owner would be foolish to ignore. Put it this way, a year ago the telecom giant Talk Talk had to pay a £400,000 fine for data security failings. Under GDPR, that would be £59 million. So, as if it hasn’t hit home yet, you need to prepare now. And no, Brexit won’t save UK businesses from this legislation. It’s going ahead.

Who does GDPR affect?

Everyone. But especially you as an employer or business owner—no matter how big or small your organisation. And that’s because you will likely control personal data (or at least process it on someone else’s behalf). If you don’t think that applies to you, the term ‘data’ itself refers to any personal information you store. If you have employees, you should at least have their contact and bank details. That’s data. Even staff performance reviews and attendance records—all data. On the surface, following GDPR is similar to current legislation in that you must demonstrate secure data storage and respect data owners’ rights. But changes are on the way…

The main changes under GDPR

The problem with the current legislation, the UK Data Protection Act, is that technology moved far faster than that law could keep up with. So rather than adding more amendments to laws that already lagged way behind how we live our online lives, GDPR will arrive to give people more control of their personal data. Here’s how:
  • The right to be informed – where you state in your privacy notice how you process information fairly.
  • The right of access – consumers can get access to their data and find out how you’re using it.
  • The right to rectification – people can ask you to update any inaccurate or incomplete data.
  • The right to erasure – commonly called ‘the right to be forgotten’. People can ask you to delete or remove their personal data.
  • The right to restrict processing – where you’re allowed to store but not process personal data.
  • The right to data portability – allows people to get their data from you for their personal use.
  • The right to object – people can opt out of you profiling them based on their data, direct marketing to them, or using their data for research.
  • Rights in relation to automated decision making and profiling – protection against mistakes where humans are not involved in data processing.

What you should do now

If 25th May 2018 seems like a long way away, it isn’t. But it is still enough time. Here’s what you can start doing now: Make sure people in your business know that the law is changing.
  • Create a register of the personal information you hold, where it came from, and who you share it with.
  • Review your current privacy notices for the data you store and prepare to change them for GDPR.
  • Get consent to store, manage, maintain and use personal data.
  • Check that you can honour the rights of individuals. If someone asks for their data, you should be able to give them it in a secure, standard format.
  • If someone asks you to remove their data, make sure you can prove you’ve done so.
  • Put in place a process for handling requests for any of the data you hold, including how quickly you will respond, how you will provide it, and how you will assure requesters that they own it.
  • Decide if you need a system for identifying the age of individuals and whether you need parent or guardian consent.
  • Have an emergency plan in case you lose data or someone steals it.
  • Nominate a responsible person to be your Data Protection Officer.

Start doing your research

The Peninsula Group recommends you research as much as you can about GDPR. As employment law, health & safety and HR software specialists, this basic outline is all the information we can offer you. But it's enough to get you started. Remember, the sooner you start preparing, the sooner you get your house in order, and the smoother the transition will be—protecting you against a devastating financial penalty. Bio: Alastair Brown is Chief Technical Officer of people management software company, BrightHR.

Suggested Resources