Despite the fact that Britain is set to leave the European Union, the General Data Protection Regulation (GDPR) will come into force here in the UK on 25th May 2018. It’s been almost two years since the proposals were approved, but research from Blake Morgan LLP suggests that 23% of companies are still unaware of the new law and what it will mean for them. The message here is clear… It’s time for business owners to get up to speed with how the changes will impact them, and get their plans in place.
By this stage, we’re assuming that you’re at least a little bit familiar with what’s happening. But just in case you’re not – in a nutshell though, its intention is to extend the scope of the EU data protection law to all foreign companies processing data of EU residents, and it applies to controllers and processors of data. If you’re subject to the Data Protection Act, it’s likely that you’ll also be subject to GDPR.
Here are some important factors that you need to consider…
GDPR will apply to businesses of all sizes
Sometimes, small businesses are exempt from certain legislative changes. Gender pay gap reporting, for example, is only necessary for businesses with 250 or more employees. Even if you only employ a few people though, you still have responsibilities. This is because you still may process a large amount of data when it comes to the day-to-day running of your operations. Ultimately, you need to take steps that are ‘appropriate’, taking into account the nature, scope, and context in which you handle and process data.
Brexit isn’t our get-out clause
When the Brexit vote was first announced, many speculated that this would mean that we wouldn’t have to comply with GDPR. This however isn’t the case, so any insinuations to the contrary should be ignored. There are still many questions surrounding Brexit, but this isn’t one of them.
The use of profiling in the recruitment process must be reconsidered
Many businesses now use automatic profiling to filter through applications and CVs for candidates who mention specific skills or qualifications. Moving forward, you’ll have to notify applicants that this is the case and you may need to give them the opportunity to object to that. In some companies, this could mean a return to more manual processes.
You’ll need to create a process to quickly report data breaches
Once GDPR comes into force, you’ll have just 72 hours to disclose any data breaches to the relevant authorities. If there’s potentially a high degree of risk for the individuals concerned, then you’ll also need to inform them. Three days isn’t a great deal of time to get things sorted and ensure your responsibilities are fulfilled, especially if you don’t know exactly how you’ll go about it. Now’s the time to think about creating a process that will be followed should the worst-case scenario occur.
You’re unlikely to receive a huge fine – but that doesn’t mean that you shouldn’t be prepared
The maximum fine under GDPR is 4% of annual global turnover, or €20 million – whichever is higher. So understandably, there has been a lot of speculation around companies being landed with hefty penalties. Elizabeth Denham, the Information Commissioner, said in a blog published back in August: “Thinking that GDPR is about crippling financial punishment misses the point. It’s true we’ll have the power to impose fines much bigger than the £500,000 limit the Data Protection Act allows us… But it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that the maximum fine will become the norm.” So to summarise, employers should focus on their areas of risk and raising their bar, instead of being fearful of fines.