31 Jul

Yes, you heard correct!  In just under a year’s time, on the 25th May 2018, the new EU General Data Protection Regulation (the “GDPR”) comes into force. The GDPR expands significantly on the current principles for data protection and the DPA 1998 will be laid to rest.  GDPR has been designed both to harmonise data protection through Europe, and to modernise it, accounting for scientific and technological advances that have taken place in recent years.

Given the EU angle, and the still unclear cloud that is Brexit, it is confirmed that the GDPR will apply to us despite Brexit and the UK’s departure from the EU will not affect this.

What are the key objectives of GDPR?

·         give citizens and residents back control of their personal data

·         simplify the regulatory environment for international business by unifying the regulation within the EU.

What are the key stipulations of GDPR?

·         Firms of over 250 employees must employ a Data Protection Officer (DPO). This person is responsible for ensuring that a business collects and secures personal data responsibly.

·         GDPR will also apply to small businesses under 250 employees if the processing carried out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as defined in GDPR   Article 9.

·         Breaches in data security must be reported immediately to data protection authorities such as the Information Commissioner’s Office (ICO) in the UK. Ideally, breaches should be reported within 24 hours if possible but at least within 72 hours.

·         Individuals have more rights dictating how businesses use their personal data. In particular, they have the ‘right to be forgotten’ if they either withdraw their consent to the use of their personal data or if keeping that data is no longer required.

·         Failure to comply with the GDPR will lead to heavier punishments than ever before. Under current rules, the UK’s Information Commissioner’s Office (ICO) can fine up to £500,000 for malpractice but the GDPR will be able to fine up to €20 million or 4 per cent of annual turnover (whichever is higher).

So, if your business handles personal data, which I do believe all businesses do; you will need to comply with the GDPR. The GDPR defines “personal data” as follows:

·         any information relating to an identified or identifiable natural person (a data subject)

·         an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological,    genetic, mental, economic, cultural, or social identity of that natural person.

To make it easy, if you currently are required to comply with the Data Protection Act, you will have to comply with the GDPR.

Q: So, what will my business need?

A: For Starters: A New Data Protection Policy

A year may seem like a long time, but there’s no time like the present to start preparing for the GDPR, particularly given that it is a stricter regime than the current one and the penalties for failure to comply are considerably harsher.

In the coming months Lotus HR will share informative data on the new GDPR law as well as prepare guidance for SME’s from an HR perspective.

We will also develop a GDPR policy, setting out the rights of data subjects and the obligations of a business as a data controller under the GDPR, covering a number of organisational and procedural measures to help ensure compliance.

Start Preparing Today!

Starting with this blog, we will be providing more information and guidance, as the year develops, helping to ensure that you will be informed and ready on time.