From 25 May 2018, the General Data Protection Regulation (GDPR) will replace the UK’s current statutory framework on managing data protection. Its scope is wide and will require organisations to review their practices in relation to handling data in many areas, especially in how they manage and process employee personal information, which often includes sensitive personal information.
All organisations with professional or commercial activity (whether or not payment is received for that activity) will have to comply with GDPR regardless of their size, provided that they process personal data.
Severe fines will be applied to certain types of data breaches which will have to be reported to the supervisory authority (the Information Commissioner's Office) within strict deadlines.
A new Data Protection Act (the Data Protection Act 2018) will be introduced by the UK Government to replace the Data Protection Act 1998. This Act is not currently finalised. The new Act will not remove the existing data protection principles, however, the new rules will mean that organisations will need to consider data protection in every aspect of new projects e.g. 'by design and default' and some will need to appoint a specific Data Protection Officer to ensure compliance. Greater significance will be placed on accountability meaning that processes and procedures will need to be put in place to show that data protection is at the forefront of an organisation’s processes.
The UK’s exit from the European Union will have no effect on the application of the GDPR; it will still apply.
For more information on our GDPR4HR solution, give us a call.