With 25th May in sight, we have highlighted the key things you need to know:
- Sensitive personal data under the Data Protection Act 1998 is replaced under the GDPR with “special categories of data”. For the first time this includes genetic and biometric data, as well as continuing to apply to data about health, ethnic origin, sexual orientation and sex life, religious and philosophical beliefs and political opinions, trade union membership, and in the UK, criminal offences.
- The criteria for giving valid consent are stricter and individuals can withdraw consent at any time. Employers are unlikely to find that they are able to rely on consent for processing data. Instead, employers will need to identify other lawful bases for processing personal data.
- Your data protection approach must be tailored to your organisation and your workforce, and crucially you must be able to demonstrate compliance.
- The GDPR increases the amount of information that must be included in privacy notices for them to be legally compliant. They need to be drafted in plain and clear language to meet fairness and transparency requirements. Privacy notices will not just be required for employees, but also consultants, workers, non-executives and board members and also applicants and volunteers.
- You can no longer charge a fee for subject data requests, and instead of 40 days to comply with a request, the time limit for compliance reduces to one month.
- Individuals will have greater rights, including rights to request to be forgotten or to restrict processing, and the right to data portability.
- All data breaches must be recorded, and most breaches reported to the Information Commissioner’s Office within 72 hours.