by Chelsey Newsom | 26 February 2018
This week we are hosting a CPD event on the new General Data Protection Regulations (GDPR). Here is a rundown of the main points ahead of the event:
General Data Protection Regulations
As we thought we had just overcome the IR35 hurdle, we have been hit with another challenge that will affect not only us as a business but also the organisations that we recruit to in our market. The new General Data Protection Regulations (GDPR) are being enforced and replacing the current Data Protection Directive. GDPR is a regulation that was adopted in April 2016 but will be enforceable from 25 May 2018 and will be compulsory across all countries. These upcoming changes will affect every organisation and the way that you work within that organisation. The aim of the regulations are intended to reinforce data protection for all individuals within the European Union to allow greater control over how the individual’s personal data is used and stored. It should therefore enhance the protection of an individual’s personal information from misuse. The new regulations also come with some hefty fines for organisations that are deemed to be in serious breach of these which can be up to 4 percent of the global annual turnover.
The key principles for GDPR are;
Information and consent
Data controllers such as local authorities must inform the individual on how they process data before the processing takes place. This is not a new principle but there will be more information that will need to be provided and these include the legal basis as to why it is processing data, the timescale in which the data shall be returned and whether there is a contractual and statutory requirement to provide this data along with consequences of not providing data on request. In order for consent to be valid, it must be freely given and specific and must also allow the individual to withdraw consent at any time. The regulations for consent of information from children under 13 must be gained from parental or guardian consent.
Right to be forgotten
A request made by the individual to withdraw consent of their information must be actioned accordingly should there be no lawful right or any reason to continue processing such information. The organisation must notify anyone who the data has also been shared with. The candidate has the right to request this information be removed if it is no longer necessary.
Subject to access request
This will remain the same as the current legislation and the individual has the right to request information that the organisation holds on them but there has been further amendments to the current legislation. The time limit to respond to such requests has reduced to 30 days from the original 45 days. Organisations must ensure that they have provisions in place to make sure they can meet such deadlines. There is subsequent information that is required to provide to the individual and this includes the purpose of processing the information and the recipients of the data.
Data breaches and active compliance
Organisations are enforced to duly notify the Information Commissioners Office when a data breach has been made and it will likely impact the individual and cause damage. If the data breach looks like it is going to cause damage then the Information Commissioner’s Office has authority to issue an organisation with a fine. Organisations will need to implement a GDPR and Data Protection officer, deliver staff training programmes and ensure continued audits are in place to make sure the organisation is compliant.
Due to the impact that the regulation will have on the organisations that we recruit to, we will be hosting a number of certified professional development training courses across the UK with one having taken place in Liverpool and a second coming up in London. We will be hosting our second CPD event on Thursday 1st March, 2018 in conjunction with 36 Civil Group. The key note speakers include Joseph Dalby SC (Irl) and Simon Harding who are both experts in the field of data protection. The topic will explore the issues clients will have around the regulations and how to overcome them. It will also give key examples to support this and it will be open to any questions.
We have collated a fact sheet for clients and candidates to assist with the upcoming changes and can be accessed here.
This CPD event is fully subscribed however If you are interested in attending a GDPR seminar, please do get in touch and express your interest as we will be looking to re-run the course in April. Please express your interest at firstname.lastname@example.org