The EU’s new General Data Protection Regulation (GDPR) is expected to turn some organisations upside down, as they look to make drastic changes to bring themselves in line with the new rules.
The GDPR is to overhaul current data protection laws to make sure that they are fit for purpose, especially in the modern digital age. Under the current UK Data Protection Act 1998, anyone can request the information that organisations have about them.
The new legislation will mean that organisations will have to respond to subject access requests, or SARs, much quicker than before. Under the current UK Data Protection Act 1998, employers have 40 days to respond to a request and could charge a fee of £10. But when the new rules come into effect in 2018, employers will have to comply with an SAR within one month and will not be able to charge any fees.
Employers who do not meet the deadline, or fail to provide all the information requested, could face a hefty fine. The UK Information Commissioner’s Office (ICO) can currently hand out fines of up to £500,000 for serious breaches of the DPA. But the penalties for not complying with SARs rules are expected to rise substantially under the new GDPR.
GDPR is a regulation rather than a directive and is directly enforceable in the UK without the need for the government to legislate. This means that the UK will not need to introduce a new Data Protection Act.
Organisations must also provide information about the type of data they hold about the person, who they have shared the data with and what the purposes of their processing is.
Further information must also be provided to explain the persons’ rights to request the modification or removal of their data and how they organisation sourced their personal data. They should also be advised of their right to lodge complaints with data protection authorities.
Employers will also have to appoint a dedicated data protection officer if they handle a large amount of sensitive data or monitoring the behaviour of a large number of consumers. Under GDPR, businesses will have to keep track of personal data in ways that can be audited and provide notification of breaches within 72 hours.
What should you do?
Employers must put in place a specific process to handle SARs under the new rules and produce standard wording that provides the additional information they are required to disclose alongside the requested data.
Businesses will also need to make sure that their systems are managed in such a way that data can be retrieved as quickly as possible. Staff should be appropriately trained to identify when a request constitutes an SAR and that SAR requests are passed immediately to those tasked with managing responses.
With much stiffer penalties expected under the new system, businesses should be focused on putting in place their procedures and training for managing SARs as soon as possible, to make sure they are ready for the new regulation.