The GDPR, which supersedes the existing Data Protection Act, will introduce a number of new requirements relating to personal data and will make employers more accountable. Although the legislation originates from the European Union, the referendum result last summer will have no bearing on its introduction in the UK.
The GDPR sets out a number of obligations including seeking and recording consent for processing personal data of employees and reporting personal data breaches when they occur.
Businesses will need to update your contracts of employment, staff handbooks and other employment documents to take account of these requirements. From May 2018, the employee consent can no longer be incorporated in to the employment contract so a separate form including prescribed information will need to be signed.
Employers will be required to keep a record of the steps taken to assess the impact the GDPR will have on their business and its procedures. They will also need to show that they to have identified possible risks and document the measures put in place to minimise the likelihood of a problem arising.
Although the GDPR appears rather intimidating, it is crucial that all employers make the necessary preparations. Failure to abide by the new rules can lead to the Information Commissioner’s Office (ICO) imposing penalties of up to €20million (or four per cent of a company's global revenue, whichever is the greater amount.)