On 25 May 2018, the General Data Protection Regulation (GDPR) will come into force. These regulations aim to harmonise data protection laws across the EU.
The GDPR will apply to any company processing the personal data of individuals in the EU. Under the GDPR, employers will need to provide more detailed information, such as:
how long data will be stored for;
if data will be transferred to other countries;
information on the right to make a subject access request; and
information on the right to have personal data deleted or rectified in certain instances.
The GDPR also has a mandatory breach reporting requirement. This means that if there is a data breach (such as disclosure of personal data), the employer will have to notify the data protection authority within 72 hours. Employers that breach the GDPR can expect significant fine of up to €20 million or 4% of annual worldwide turnover, whichever is greater.
In preparation for GDPR, an effective HR strategy should:
Assess current HR data and related processing activities and identify any gaps with the GDPR.
Review current privacy notices and update them, where applicable
Where consent is currently relied on, check whether or not it meets GDPR requirements
Develop a data breach response procedure
Appoint a data protection officer, where appropriate