GDPR is the new EU General Data Protection Regulation, is coming into effect on May 25th 2018. If your organisation deals with the Personally Identifiable Information (PII) of all EU Citizens, you are under the law’s remit. Organisations in non-compliance will face heavy fines.
“With maximum fines increasing so significantly, employers must get familiar with the changes quickly.”
Companies need to address their data handling processes in order to comply with the new regulations, and quickly. However, when handling customer and employee data through multiple processes, and in a variety of structured and unstructured formats, re-designing the process of how data is handled across the business can seem overwhelming and time-consuming.
“The starting point is likely to be a review of all data protection documentation in place to ensure it remains valid.”
- Employee consent to their employer processing their data will need to be informed, freely given and specific. Employee handbooks will need to be reviewed in this regard;
- Data protection risk assessments are likely to be required when carrying out a new project or implementing a new system;
- When responding to a Subject Access Request, employers will no longer be able to charge the employee a fee for gathering the information unless the request is manifestly unfounded or excessive, in which case a “reasonable fee” can be applied. The information will have to be provided without delay and within one month at the latest (currently a 40 day limit applies);
- Individuals will have new rights to have data corrected; restrict how it is used and to be ‘forgotten’;
- Data processors will no longer need to inform the Information Commissioner’s Office annually of data processing activities. Instead there will be increased record keeping requirements;
- Maximum fines for very serious instances of non-compliance will increase from £500,000 to £20 million or 4% of an organisation’s worldwide annual turnover, whichever is the highest.