Royds Withy King dispells the myths around GDPR
There is a lot of discussion around the new General Data Protection Regulation (GDPR) due to come into force on 25 May 2018 and the implications for business are significant.
However there is still a large amount of uncertainty and speculation. Jessica Bent, partner and co-head of Oxford-based law firm Royds Withy King‘s Technology, Media & Telecommunications team and Kate Benefer, partner in the Employment team dispel some of these myths.
Myth 1: If you’re compliant with the Data Protection Act 1998 you’re okay.
Not quite. If you’re compliant with the DPA 1998, it’s an excellent start to your compliance journey. However, GDPR is bringing about some big changes that businesses need to be aware of, even if to date you have been compliant with the DPA 1998. Therefore, it is a good idea to revisit your compliance toolkit, map your data flows, and look at your privacy policies and contracts.
Myth 2: It’s just an HR problem.
No it really isn’t. We’re aware that HR teams have been tasked with the management of GDPR, but it is more accurate to say that the issues broadly fall into two camps, as follows:
Business issues: The business issues cover the management of personal data from individuals, whether those individuals are your customers, your prospects, your donors, your members, or your suppliers. Bear in mind we are talking about personal data, so it is not a company name (for example), but the name of a person at the company/organisation.
The business issues also cover the dissemination of personal data that you gather. So for example, are you transferring personal data to IT providers, cloud providers or insurance companies to provide services? The dissemination of such personal data needs to be managed through a data processing contract or data processing clauses in another contract.
HR issues: From a HR perspective organisations need to consider two angles
(i) Employee data:
Organisations will be processing employee data which includes data collated as part of the recruitment process right through the employment lifecycle and beyond. The type of data will be wide-ranging but is likely to include things such as identification, contact details, medical information, DBS checks and bank details.
All employee data needs to be processed in accordance with the principles of GDPR. This includes establishing a lawful basis for processing the data, not collating or keeping data without good cause and ensuring that you inform candidates and employees of the purposes for which you are processing their data.
(ii) Employees handling third party data:
It is likely to be your employees who are handling your third-party data on a day to day basis and therefore, it will be your employees who ensure that your business either complies or fails to comply with the GDPR requirements.
Employment contracts, policies and internal rules may therefore need to be updated to make the obligations clear. Employees will need to be provided with information and training to ensure they know what they are required to do and what the consequences of not doing so, will be. For example, you may want to introduce a policy relating to reporting of GDPR breaches, amend your disciplinary policy and introduce or update your policy in relation to subject access requests.
Myth 3: It’s all about fines.
Fines are going up, without a question, increasing to a maximum of 4% of global annual turnover for the most severe breach of GDPR. However, the Information Commissioner’s Office has clearly indicated that it prefers a carrot rather than a stick approach, so we are not expecting to see immediate large fines once the Regulation is in force. However, this should not encourage complacency; the ICO will be monitoring how businesses manage personal data (for example through complaints it receives, or proactive investigations it launches) and flagrant disregard will no doubt be addressed.
Myth 4: It’s all about consent.
Not quite. To process personal data, the data controller must have a lawful basis on which it can rely. One of the lawful bases is consent, however the other key lawful bases are:
- to perform a contract to which a person is a party
- to comply with a legal obligation
- for the legitimate interests of the data controller.
Thus, if you are wishing to send marketing information to a customer, you will need consent, as there is not another relevant legal basis. However to use a different example, if you are providing software to an individual under a contract, your lawful basis to process that personal data is to perform the contract. From an HR perspective, consent is unlikely to be the lawful basis you can rely on for processing employee data. You are more likely to rely on the performance of the contract or a legal obligation. For example, to be able to perform your contractual duty of paying an employee, you will need to process their bank details and to comply with your legal obligations in relation to health and safety and disability discrimination, you may need to process data relating to an employee’s health.
So what happens next?
From an HR perspective, review the employee data you hold and consider the lawful basis for this. Review contracts and policies to ensure you have clearly set out the correct basis for processing and have not just referred to consent. You should also start planning for how you will inform and train your staff about their obligations and review or create policies to ensure the requirements are clear.