General Data Protection Regulation (GDPR) 2018 The Data Protection Bill
The General Data Protection Regulation 2018 (GDPR)/Data Protection Bill (UK Law) will come into force from 25th May 2018. This email provides guidance on the changes.
The new legislation will replace the current Data Protection Act (DPA) and significantly changes and updates the way personal data is protected.
The biggest changes include:
The scope of the legislation has changed and means that all EU citizens’ data would have to be protected in the same way regardless if the data processing happens inside or outside of EU. This is also regardless of the Brexit situation for the UK.
Penalties can reach up to 4% of annual global turnover or 20million Euros (whichever is greater). Fines of 2% can be imposed when not having the records in order, not notifying the supervising authority (Information Commissioners Office) and data subject about a breach or simply not conducting the impact assessment.
If a data subject requests a copy of all of the personal data that’s held on file for them you are no longer able to charge £10 for this request. The timeframe is also stricter for completing Subject Access Requests; changing from 40 days to one month. You will also need to confirm to the data subject more information with the request; such as how long the information will be stored for, or if this cannot be confirmed, what criteria determines how long data is stored for.
Consent must be clear and distinguishable from other matters and obtained specifically for data processing. Clear and plain language should be used and consent should be both easy to give as well as withdraw. As you need explicit consent, which requires a very clear and specific statement of consent, from data subjects this will need to be obtained/checked that this held with all current data subjects on mailing lists/client lists. The proof of consent will also need to be saved (including when and how they consented).
What you need to do as a business
As a business you need to be prepared to:
· Assess the impact for your business and consider the legal basis used to justify collecting and/or processing any personal data. Consider what information you hold on the data subject and identify if you need to have this information. If you do not need this to complete the agreed activity with the data subject then this should be removed.
· Identify and review who you are sharing the personal data with (such as umbrella companies or outsourced payroll companies) and make sure that appropriate agreements (contracts) are in place confirming how/for what purpose they process the data for you. Also ensure that in your contracts with the data subjects it confirms that information will be sent to 3rd parties and why (for example for the processing of payroll). When sending information to 3rd parties you must ensure that the information remains secure through encryption/passwords (if passwords are used these must be sent in a different email to the one the information was sent in).
· Identify where you are acting as a data processor, meaning that you collect and process personal data and acknowledge the significantly wider responsibilities under the Data Protection Bill. This would include personnel records for internal members of staff.
· Be prepared to respond to individuals’ requests under new expanded rights (including but not limited to):
o to ask for personal data to be erased where it is no longer required; This will be if the data subject is no longer with you and the information does not need to be held for any other legislation. When removing this data ensure that it is anonymised, you will need to ensure that you do not hold any of their data which could identify them.
o where the individual exercises the right to withdraw the consent; This is where they ask you not to hold data on them going forward and should stop collecting any further information on this data subject straight away. This will be the end of a contractual term with the data subject.
o where the processing of their data becomes unlawful; This is where it goes against legislation or is outside of the original purpose/way it was agreed (for example outside of the contractual terms or consent previously provided).
o where any inaccuracies/errors are notified that need to be rectified in a timely manner;
o where the data is requested to be moved from one controller to another ('data portability'). You must provide the personal data in a structured, commonly used and machine readable form such as CSV files. Machine readable means that the information is structured so that software can extract specific elements of the data. This enables other organisations to use the data. The information must be provided free of charge. If the individual requests it, you may be required to transmit the data directly to another organisation if this is technically feasible.
· Take into account 'privacy by design 'concept which is now a legal requirement under GDPR. This means that inclusion of data protection and its principles is required from the onset of designing of systems and dictates that only data that is necessary ('data minimisation') should be collated.
· Assess the current level of security in protecting any personal data and consider if it is appropriate to the risk. Any changes that need implementing, to bring your security up to date, should be in place by 25th May 2018.
· Consider appointing a Data Protection Officer (DPO). It is mandatory for certain types of controllers and processors who are dealing with large scale or special categories of data etc but having someone responsible in your organisation is a good step forward in acknowledging the responsibilities.
· Update websites with privacy notices that include all types of processing completed (lawful basis of processing) and the retention periods for the information held.
Approach at Outsauce
As an outsourced payroll provider, Outsauce is working with our clients to understand their needs to be compliant as data controllers.
What Outsauce are working on:
· We understand our client's data keeping requirements and are investigating and developing solutions for data cleaning routines as a control to minimise data held by you as the controller and Outsauce as the processor.
· Right to be forgotten - to stop any communication where it is no longer appropriate or consent has been withdrawn will be put in place. It is important to strike a balance when holding payroll data for a period of time, especially to meet each countries statutory requirements.
· Outsauce are always looking for ways to continuously improve our services and we are currently increasing our focus on cyber security. We are reviewing all of the data we hold to ensure that it is required for processing and that our contracts cover the new legislation.