Confused about GDPR? No need to panic

By Toni McAlindin, barrister and CIPD tutor

Out of nowhere, employers have suddenly become interested in data protection. Having lectured for over 20 years on the subject, it all seems rather bizarre.

Of course, it is not because employers have suddenly seen the light, but more likely because new legislation is looming and there is a great deal of confusion as to what is required.

We have had data protection legislation since the early ’80s so these obligations are not new, but now the fines for non-compliance could be absolutely enormous (maximum of 20 million euros or 4% of total annual turnover, whichever is the higher) and that seems to have concentrated the mind for many organisations.

What’s new, then? Firstly, a new regulation known as the General Data Protection Regulation (GDPR) which originates from the EU. Yes, we are leaving the EU, but if we want any chance of doing future business within the EU then we need to comply fully with this legislation. It will be implemented in May 2018 along with the EU Enforcement Directive. The UK Data Protection Bill is currently going through Parliament. It will implement both of the above but also some areas not covered by EU law – for example, immigration and national security.

It should be stressed that the bulk of the new material is similar, if not identical, to the present data protection rules but the new Regulation aims to strengthen and unify data protection.

So, what’s different? Fines are certainly much higher but there has been too much emphasis on this area as the Information Commissioner Elizabeth Denham points out in one of her recent blogs.

The core of the legislation concerns ‘personal data’. The new definition is more detailed, reflecting changes in technology, for example, personal data could be an IP address or even data that has been pseudonymised (key coded). Clearly considerable personal data is held in organisations, not only on employees and workers but also clients, customers, suppliers and so on.

Employers will need to be much clearer about records of personal data and processing activities and much, much clearer on their lawful basis for processing such data. The legislation lays down a number of legitimate reasons for processing. If one does not exist, it will be necessary to get consent. It is not always necessary to get consent (as now) but consent must be unambiguous, specific, informed and freely given, in other words, without duress. And there must be ways to withdraw consent. It cannot be an integral part of the employment contract. It must be “by a statement or by a clear affirmative action”. Pre-ticked boxes will be invalid. There must be an active opt-in from those giving their consent.

The ICO has already published draft guidance on consent. It is unlikely to change much prior to the final version in December. It has also published a helpful 12-point checklist and more guidance will be published on an ongoing basis.

For more information on the GDPR, the CIPD course Understanding Data Protection provides an overview on existing legislation, new proposals and ongoing guidance.

Thank you for your comments. There may be a short delay in this going live on the blog page as we moderate the comments added to our blogs.

  • Hello. I'm not sure if this is the right place to post this question so please forgive me if it isn't (and tell me where the right place is please).

    First, agree about the hype to do with GDPR. Suggest this is consultants seeking to 'ride the wave' of the distressed. Perhaps I'm cynical?

    But seriously, GDPR matters and we're doing our bit to get compliant. Now we're in a position where we're clear about what we need to do, we just don't know the form of words to use in each case. Our specific issues are these...

    1) we don't know how to reword our employee contracts to mention 'data' in the right way.

    2) we don't know how to reword our employee handbook to set out privacy the right way

    3) we're unsure over the issue of 'consent' when it comes to using employee data to pay them, set up pension etc. And if consent is needed, we don't the right place and wording to achieve it.

    If you've insight on these points or can point us to people/places that have that would be brilliant! A huge thank you in advance. John

  • Thanks Toni.  Agree with the no panic approach and there is certainly a lot of scare tactics being used in the commercial world.  

  • Thank you for the welcome breath of rational fresh-air and clarity among the frantic wailing and gnashing of teeth. Yes, the new fines are eye-watering, but for anyone conversant with and compliant with the DPA there is nothing too alien in the new regulations. More care to be taken walking a narrower path, but no completely new map to be drawn.

  • Thanks Toni for the insights into the changes that are coming in personal data management. Organizations will be subject to audits on how they are handling and storing data, and as you have said, must be able to show clearly how that data was obtained and for what reason, in conformity with the new legislation.

    A central information management system allows organizations to demonstrate  how and why they hold certain data, and to record all treatment actions on the personal data which your organization hss to keep you in compliance with the GDPR legislation.

    Susanna, Quidgest: GDPR solutions