We should all start preparing for GDPR which will come into force on 25th May 2018.
Its aim is to increase individual rights and data compliance amoungst the EU member states.
The UK has enacted the draft Data Protection Bill to implement the GDPR in domestic law. The Bill looks to replace the current Data Protection Act 1998 and sets out how the UK will comply with the European regulations.
The GDPR increases requirements for the processing of special categories of personal data, known formerly as sensitive personal data that covers information relating to race, political opinion, religion, trade union, health, sexual life and convictions.
There are strict conditions under the GDPR and the main one is that individuals have to give specific and informed consent to the processing of this data.
The Data Protection Bill, however, provides that Companies can process special categories of personal data to meet their obligations under employment law without consent if they have a policy document in place regarding this processing.
In similar fashion, Companies can also process data on criminal convictions, such as through carrying out background checks, to meet their legal obligations where a policy document is in place. These policies are likely to require the Company to demonstrate how they will protect this data when processing it.
Subject access requests
Changes to subject access requests incorporated in the GDPR include the removal of the maximum £10 fee to process the request, unless the request is unfounded or excessive so a reasonable fee can be charged and the time limit for compliance with the request is reduced to one month from receipt.
The Bill re-establishes the current exemptions under the Data Protection Act 1998 regarding the information which can be disclosed under subject access requests.
Companies will still not be required to disclose information, or include information in any privacy notices, that is:
- covered by legal professional privilege
- used for business planning
- prepared for negotiations with the individual
- any confidential references given by the organisation.
Alongside confirming the new maximum fine of €20,000,000 or 4% of the Company’s annual turnover, the Bill introduces new offences for Companies. A new offence where an Companies alters, destroys or conceals information that is legally required to be disclosed to an individual making a subject access request is established. In addition, where there is an intentional or reckless breach of anonymity of an individual from anonymised data, the organisation will commit an offence under the Bill.