Ruth Buchanan: The new General Data Protection Regulation is just around the corner

With under a year to go before the General Data Protection Regulation (GDPR) takes direct effect on 25 May 2018 in European Union (EU) member states, including the UK, employers should be preparing for its implementation.

GDPR introduces a much tougher regime than the existing data protection legislation, with potential fines of up to 4% of total worldwide annual turnover for serious breaches and criminal liability for individuals.

Tighter rules on how staff can give consent to the use of their data by employers will require many employers to establish new robust procedures. Consent will have to be “freely given, informed, specific and explicit” which will mean that a blanket consent in, for example, an employee’s signed contract of employment will be ineffective. To allow data portability, individuals will also have the right to obtain a copy of their personal data from their employer in a commonly used and machine-readable format in order to transmit this to another data ‘controller’. A ‘right to be forgotten’ by the erasure of data will also apply.

New obligations apply directly to data processors such as third-party payroll providers used by employers. Employers should consider reviewing any contracts with data processors to reflect these new requirements.

Staff benefits provided by third-party providers require employers to transfer significant amounts of staff data outside their businesses. Employers should look at whether the service providers are based in or outside the EU and consider whether, for example, any procedural changes are needed to comply with the transfer restrictions in the GDPR.

To prepare for the GDPR, employers should consider: forming an internal task force to oversee its implementation; appointing a data protection officer responsible for ongoing compliance; checking that current procedures for the storage, use and transfer of personal staff data are fit for purpose; reviewing contracts with data processors; and establishing an action plan in the event of a data breach.

Ruth Buchanan is a partner in the employment practice at law firm Ashurst