Data protection and the GDPR – what does this mean for my business?

The General Data Protection Regulation (GDPR) comes into force in May 2018, so what generally should businesses be aware of?

Overview:

  • Larger penalties for breach
    • A new tiered approach means penalties for the most severe breaches will increase from the current level of £500,000 to up to 4% of annual worldwide turnover or €20 million (depending on the nature of the breach).
  • Brexit does not provide an immediate escape route
    • The GDPR takes effect before Brexit and its effects have a wider territorial reach than the current law.
    • Organisations do not need to be in Europe for the GDPR to apply. For example if a website can be accessed by persons in the EU – the GDPR can apply if EU individuals are targeted or monitored, e.g. cookies are used to track persons or IP addresses are collected.
  • Data processors now face liability for non-compliance
    • It is not only data controllers who need to comply with the GDPR. Obligations will be placed on data processors to comply with the GDPR (this includes requirements for consent from data controllers to appoint new sub-processors, the need for activities to be covered by a binding contract, to keep records…and so on).
  • New and increased rights for data subjects
    • New rights include a right to be forgotten, a right to restrict profiling and a right to portability. The current rights available to data subjects are mainly retained and increased. For example the timescales organisations have to deal with subject access requests will decrease to a month.
    • The definitions of personal data and sensitive personal data have been widened. Online identifiers such as IP addresses or cookies are mentioned within the GDPR.
    • Information or fair processing notices must be provided in a concise, intelligible, transparent and easily accessible way. Additional information may be required to be provided by the data controller if this is necessary for the processing to be fair and transparent.
    • Using consent as the lawful basis to process personal data is made more difficult under the GDPR. If consent is used as the basis for processing this should be checked to ensure it meets GDPR requirements. Data subjects can withdraw consent at any point.
  • Be able to demonstrate compliance with the GDPR
    • To comply with the GDPR, organisations will need to implement technical and organisational measures to ensure data is processed appropriately and that the data is protected by an appropriate level of security. Organisations will be required to demonstrate that measures have been taken to reduce the risk of breaching the GDPR.
    • The “pseudonymisation” of personal data is encouraged by the GDPR, this means that the data is processed in such a way that it can no longer be used to point to a data subject without the use of additional information. This additional information is to be kept separately and securely (to prevent the pseudonymised data being attributed back to the data subject).
    • Privacy impact assessments will be required for data processing or technology which presents a high risk to individuals (a high risk is gauged in relation to the risk of infringing an individual’s rights and freedoms, such as large scale processing of sensitive data or profiling activities).
    • Data Protection Officers may be required depending on the format of the organisation and its core activities. For example the majority of public authorities will be required to appoint a DPO, together with those organisations which carry out regular and systematic monitoring of data subjects or large scale processing of sensitive data or criminal records.
    • Organisations will be required to keep records of their processing activities (e.g. types of data processed and for what purpose).
  • Mandatory reporting of personal data breaches
    • Data controllers will be required to report breaches to the relevant supervisory authority and/or the data subject unless certain exemptions are satisfied.
    • Data processors will be required to notify data controllers of all and any breaches “without undue delay on becoming aware of it”. More guidance is expected on this point, given the lack of exemptions in this area.

The above notes provide only an outline about certain of the consequences faced by businesses under the forthcoming GDPR. Unfortunately this is not something businesses can ignore until May 2017, and it makes sense to start to address how to implement changes required  if they have not begun already. For example:

  • reviewing staff polices
  • reviewing how and what data is collected at present, checking whether or not consent from the data subject is obtained
  • reviewing the use of sub-contractors and suppliers and any relevant contracts already in place
  • planning on how to deal with data breaches, checking what technical and organisational measures are in place
  • conducting risk assessments.

More guidance is expected from the Information Commissioner (ICO) in the coming weeks and months which should be helpful. In the meantime – see here for some preparatory advice from the ICO https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf

When Office Romance Turns Fifty Shades Darker

It’s no surprise that so many of us meet  our significant other at work; we spend a lot of time with our work colleagues and often more time than we spend engaged in personal activities. However, cupid’s arrow doesn’t always strike it lucky and not everyone gets their happily ever. Office romances can often be as short lived as the good biscuits in the office biscuit tin and cause more trouble than a gust of wind to Donald Trump’s hair when colleagues fall out of love.

There’s no employment law against office romance and, in any event, it wouldn’t make much sense for employers to ban relationships at work because for some the risk of being caught would make it all the more fun. Love contracts are commonplace in the US but to dismiss employees for partaking in a ‘romantic liaison’ or office romance may result in claims of an unfair dismissal and sex discrimination.

And yet they have their obvious problems; one half of the couple doesn’t want things to end or the feeling isn’t mutual and flirting or sexual advances are most definitely not welcome. The possibilities for sexual harassment complaints are endless. There are also other issues to consider. For example, one half of the couple may have the power to make decisions over the other’s role. This could give rise to a conflict of interest and accusations of favouritism from jealous colleagues, and depending on their respective positions in the business how can the employer be sure that confidential information remains just that?

Rather than have a policy exclusively dealing with dating or romantic relationships between co-workers, employers should think carefully about any type of work relationship that could lead to some of the same issues arising in romantic relationships including favouritism, reduced productivity and conflict of interest and recognise that these relationships may occur between a variety of different individuals such as co-workers, clients and customers. Of course, the behaviour or conduct that will not be tolerated in the workplace including inappropriate physical contact or language or personal use of company communication systems should also be very clearly explained so there can be no doubt about the standards expected in the workplace whether the relationship in question is romantic or strictly professional.

Donna Reynolds is experienced in Employment Law and HR matters advising SMEs in Fife, Edinburgh and across Scotland.