GDPR – The EU General Data Protection Regulation – CIPD 29 November 2017
This EU regulation, coming into force on 25 May 2018, is an overhaul of data protection law designed to produce a single set of data protection rules for the entire EU.
Although the regulation comes into force nine months before the UK is scheduled to leave the EU, UK businesses need to prepare for compliance with the GDPR. The UK government has committed to implementing the GDPR irrespective of Brexit and has a new Data Protection Bill currently progressing through Parliament which will amend the UK’s existing Data Protection Act 1998 (DPA) in line with the new rules, as well as introducing a few additional changes.. Employers must ensure they are data protection compliant and may need to designate a data protection officer, which could involve training and developing existing staff.
Organisations should:
- Appoint a data protection officer to be in charge of all aspects of information including compliance with the Data Protection Act 1998, and Freedom of Information Act for public authorities.
- Audit information systems to find out who holds what data, and why.
- Consider why information is collected and how it is used, and issue guidelines for managers about how to gather, store and retrieve data.
- Ensure that all information collected complies with the DPA.
- Check the security of the information stored.
- Check the transfer of data outside the EEA.
- Check the organisation’s use of automated decision making.
- Review policy and practice in respect of references.
- Review or introduce a policy for the private use of telephones, email and post.
- Take steps now to prepare for the GDPR which will be in force from May 2018.
