compliance-and-data
GDPR - What will change, How to prepare, Opportunity or threat
Rachel Hill
HireHive
Rachel Hill
HireHive
Rachel Hill
HireHive
Rachel Hill
HireHive
First of all, GDPR stands for General Data Protection Regulation. The publication was in preparation for 4 years, before its official approval on the 14th April 2016. However, GDPR will be officially enforced on the 25th May 2018 - meaning you now have 324 days to prepare!
The aim of GDPR is to protect all EU citizens from privacy and data breaches in a world where data is the new oil. The document will replace the current 1995 directive that outlines the key principles surrounding data protection in the EU. All organisations within or selling goods/services in the EU must be compliant with these new laws or face heavy fines.
While the key principles surrounding data protection from the 1995 directive remain the same, there are some changes outlined in the main GDPR website.
The biggest change to the current data protection laws is that GDPR is relevant to all companies processing personal data in the EU, even if the company is not physically located in the EU. Non EU companies will need to appoint an EU representative. In the current laws, territorial scope is ambiguous.
Probably what has made businesses most conscious of GDPR are the heavy penalties for non compliance. If you are in breach under GDPR law, expect a fine of 4% of annual turnover or 20 million (whichever is greater).
Businesses must now get clear consent from data subjects under GDPR. They can no longer use complicated terms and conditions to ask data subjects for consent through any medium. Instead companies must provide terms and conditions in an understandable manner and provide an equally simple way for subjects to withdraw consent.
Under GDPR, all data processors must record a breach 72 hours after initial awareness. Data processors will also have to tell data subjects within this time.
Data subjects now have full rights to ask data controllers about their data - where it is processed and for what purpose. The data controller must provide a free copy of the personal data in an electronic format. Similarly, data subjects have the right to ask controllers to erase their data.
All companies who process data on a large scale, are public authorities or fall within special categories like criminal offences, must appoint a Data Protection Officer. Under current law, all data controllers must submit their data processing activities to the DPA. From the 25th May 2018, only internal record keeping will be necessary.
An internal DPO should meet the following requirements:
At the TechConnect Live event at the end of May, Gareth Davies - Data Protection Officer at the Kerry Group - said a data audit before GDPR enforcement is vital. A data audit involves analysing the amount and kind of data you have, who is holding it and how the company will handle data in the future.
As mentioned, you must clearly explain to data subjects what you will do with their data, before they provide consent. For example, you can no longer go to an event, collect hundreds of business cards and contact these businesses without consent. While some businesses may need to hold data for medical/legal reasons, this consent is particularly concerned with the further use of data for marketing purposes.
As we build recruitment software, we couldn't leave this point out! Barry Rudden - Senior Director at Sigmar Recruitment explained the necessity of making employment contracts clear and transparent for employees, at Tech Connect Live 17. This ensures there is no ambiguity regarding consent. He also suggested that businesses can expect more internal requests from past employees about their data.
Many articles focus on the heavy penalties and the overall effort, but GDPR may be good for business. For one, businesses may gain a competitive advantage in being fully GDPR compliant. With many data breaches in the last few years, people are more concerned about the handling of their personal information than ever before. By implementing GDPR laws, you are safeguarding personal information and building relationships with clients based on transparency and trust.
“HireHive makes the team a lot more productive. We’d be lost without it. Team Leaders can do it all themselves if needed or jump in at the right time and know exactly where everything is and what’s happening.”
Hilary Dempsey Head of HR at Life Credit union