Despite Brexit, the UK government has indicated that it will implement the EU’s General Data Protection Regulation (GDPR), which will apply from 25 May 2018. Even if it had decided not to, companies dealing with data relating to EU citizens would still be required to comply because the GDPR will – subject to limited exceptions such as national security – affect not only organisations operating within the EU, but also to those outside the EU that offer goods and services to individuals within the EU.
The GDPR will apply to companies that fall into two broad definitions: ‘controllers’ and ‘processors’. The definitions are similar to those defined in the Data Protection Act 1998 (DPA) in that controllers say how and why personal data is processed, and processors act on the controller’s behalf.
If you are a processor, the GDPR will place specific legal obligations and liabilities on you; for example, you will be required to maintain records of personal data and processing activities.
If you are a controller, you are not relieved of your obligations where a processor is involved. The GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
While the principles are similar to those in the DPA 1988, there are some additional requirements that UK companies need to be aware of. The most significant is accountability. The GDPR requires you to demonstrate compliance by design. This means ensuring you have adequate systems, contractual provisions, documented decisions about processing, and training in place.
Pertinent to a HR manager – and, as with the DPA 1988 – the GDPR will apply to ‘personal data’ held about employees. However, the GDPR’s definition is broader. Any data that can be used to identify an individual is considered to be personal data. It can include things such as genetic, mental, cultural, economic or social information, and IP addresses. Even ‘pseudonymised’ data may fall within scope depending on how difficult it is to attribute the pseudonym to a particular individual.
Sensitive personal data known as ‘special categories of personal data’ is broadly similar to the DPA 1988 but there are some minor changes that will need to be addressed. It will include genetic data and biometric data where processed to uniquely identify an individual.
The issue of ‘consent’, where it validates the use of personal data, is also a significant development. Organisations need to ensure they are explicit when seeking consent and detail how they will use the information. An individual’s silence or inactivity will generally no longer be considered as consent.
First Floor Offices, 11-23 Market St.
Tel: 01427 678660
HR and Accounts:
26/26a Hickman Street
Tel: 01427 678660
West 1, West Dock Street
Hull HU3 4HH
Tel: 01482 534 348
Hyde Park House, Cartwright Street
Newton, Hyde, Cheshire SK14 4EH
Tel: 0161 367 1214
2450 Regents Court The Crescent
Birmingham Business Park Solihull B37 7YE
Tel: 0121 69 59 290
4th Floor, 86-90 Paul Street
London EC2A 4NE
Tel: 0207 111 0958
Copyright © 2017 Stallard Kane Associates. All rights reserved.