The General Data Protection Regulation (GDPR) was approved by the EU Parliament on 14 April 2016, with an enforcement date of 25 May 2018.
The GDPR reinforces data protection law in the EU which was originally introduced with the Data Protection Directive in 1995, which resulted in the Data Protection Act 1998 in the UK.
Under GDPR, organizations in breach of GDPR can be fined up to 4 per cent of their annual global turnover or 20 Million euros (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements.
The conditions for consent have been strengthened, and the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.
Part of the expanded rights of data subjects outlined by the GDPR is the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format. This change is a dramatic shift to data transparency and empowerment of data subjects.
The GDPR introduces the right to be forgotten which entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure, as outlined in article 17, include the data no longer being relevant to original purposes for processing, or a data subject withdrawing consent.
For employers, the GDPR builds on the established data protection principles and introduces some important changes in the way they should communicate data protection information to their staff, and significantly, employers will no longer be able to rely on consent as a lawful reason for processing personal data and instead will be able to rely on one of the other lawful reasons for data processing under the GDPR.
Employers should have a clear privacy notice which communicates to employees and job applicants information about the personal data they collect and process and why, how it is kept, and sets out the individual’s rights and obligations under the GDPR.
The Lawrite Documents package for employers includes GDPR-compliant templates for data protection policies and privacy notices which employers can use.
Annual subscriptions to the Lawrite Documents package for employment law, HR, and health and safety document templates, law guides and updates.
Annual subscriptions to the Lawrite Employer Support Service give you the documents package, law guides, and updates, and unlimited legal advice from employment lawyers, as well.
Lawrite services have been used by thousands of small business employers in the UK to give them the legal documents and the HR and employment law support they need.
Bishopsgate Law, solicitors with offices in London and Hertfordshire, are employment law and employment tribunal experts.
Lawrite helps UK employers deal with employment law compliance and find solutions to their legal and HR problems.
Subscribe to the Lawrite Employer Support Service for employment law, HR and health and safety documents, law guides and legal advice from employment lawyers.