The General Data Protection Regulation (GDPR) is new EU legislation that reforms laws regarding the handling of personal data. Regardless of Brexit the GDPR will come into effect in the UK from 25th May 2018.
Penalties for non-compliance are severe and can be as high as 20 million Euros or 4% of an organisation’s global turnover, whichever is greater.
How does the GDPR differ from current regulations?
- Implement more stringent controls of what constitutes unambiguous, informed ‘consent’. Consent cannot be “assumed” and can be freely withdrawn
- Provide enhanced rights for data subjects such as rights of data erasure, correction of inaccurate data, removal from digital marketing, rights to request transfer of personal data to another service provider and the right to be notified of data breaches in certain circumstances
- Introduce new accountability measures including conducting privacy impact assessments, and appointing data privacy officers in certain circumstances
- Require organisations to report data breaches to the Information Commissioner’s Office (ICO) within 72 hours if a breach may risk the rights and freedom of individuals
The principles of the GDPR are as follows:
Article 5 of the GDPR requires that personal data shall be:
- Processed lawfully, fairly and in a transparent manner in relation to individuals
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
How CIPHR can help hospices to comply
The ICO provides a best practice recommendation that organisations should try to give remote access to a secure self-service system to give the individual direct access to their own information. Self-service functionality provides transparency and enables individuals to ensure data accuracy.
Using CIPHR’s SaaS HR system, employees and volunteers can access and update their own personal information via a secure self-service portal. CIPHR also includes tools that will help you to document when consent from employees was granted for processing personal data. Furthermore, CIPHR has strict policies, procedures and security systems in place which are designed to ensure that our client’s data remains secure.
If you currently use spreadsheets and documents to store employee data, you may find it difficult to comply or demonstrate compliance with the GDPR so you’ll need to think about how you may need to do things differently.