EU General Data Protection Rules (“GDPR”) came into force on 25 May 2018 – the biggest and most radical shake-up of data protection law in several years. Are you ready for the changes ahead?
There has been some confusion concerning the status of the GDPR in light of Brexit, where questions hovered over whether or not the new regulations would apply in the event the UK left Europe. However, the ICO (“Information Commissioner’s Office”) has indicated that the regulations will apply and as of 25 May 2018, the current Data Protection Act 1998 (“DPA”) will be replaced with the GDPR.
Whilst the regulations are much longer in content than the DPA and more prescriptive, the aim is to streamline current data protection laws.
Why does it affect my organisation?
The new regulations will have an impact on employee and recruitment data. If your organisation processes any form of personal data, then the GDPR will apply.
What are the headline significant changes?
- Accountability – there will be more obligations on data controllers to demonstrate compliance. This includes amending existing data protection policies or introducing a new data privacy notice, setting out information letting the employee/candidate know that they can withdraw consent to their data being processed; that they can lodge complaints with the ICO; have access to and the erasure of data; and automated decision making (ie profiling as part of a recruitment process).
- Consent – most organisations rely on consent from their staff to justify data processing. However, the advice from the ICO is that this should be avoided and instead organisations should rely on the other processing conditions set out in the GDPR, such as ‘performance of the contract’ or ‘compliance with a legal obligation’ as a legal basis for data processing. If an organisation does rely on consent, it must be freely given, specific, informed and unambiguous. Consent cannot be construed from silence, a pre-ticked box or inactivity.
- Subject Access Requests – the 40-day response period for employers is reduced to 1 month. This can be extended based on the complexity of the case. There is no more “fee payable” unless the request is manifestly unfounded or is a repeated request in which case a charge can be levied but also the request can actually be refused.
- Reporting breaches – Employers will need to put in place mechanisms which allow for breaches to be reported to the ICO no later than 72 hours after it becomes aware of the breach, unless the employer can demonstrate the breach will pose no risk to the data subject.
- Data Protection Officers – if your organisation does not have one already, you will need to appoint one or bring in an external consultant.
Failure to comply
Currently, the maximum fine for breaches of the DPA is £500,000. The new regime will mean that you could be fined up to €20 million or 4% of your group worldwide turnover – whichever is higher.
How can the RHA help?
In conjunction with Backhouse Jones Solicitors, we are able to provide members with a “GDPR Guidance Pack” specifically designed for the haulage sector.
The pack is a two-part process and will contain: -
- Audit checklist (to be completed)
- Top tips
- Contract amendment letter
- Data request response policy
- Privacy standard
On receipt of the completed audit, Backhouse Jones Solicitors will then provide the member with bespoke transport specific Privacy Notices.
How much is it?
RHA Legal Services member: £395 + VAT
Non RHA Legal Services member: £495 + VAT
What about commercial GDPR?
If you would like a review of your existing Data Protection clause(s) in your standard Terms & Conditions, a pack is available for this.
RHA Legal Services member: £250 + VAT
Non RHA Legal Services member: £350 + VAT
Can I buy a combined package?
Of course! For a combined package for employment and commercial GDPR the cost are: -
RHA Legal Services member: £550 + VAT
Non RHA Legal Services member: £650 + VAT
To purchase one of our GDPR guidance packs or for further queries, please contact Kathryn Wheat 01733 261131 or email firstname.lastname@example.org