As of 25 May 2018, the General Data Protection Regulation (GDPR) will reform data protection and privacy laws not only in Europe but across the Channel Islands.

The new rules:

  • Create new responsibilities for employers about how they collect, use or store information about their staff
  • Give employees new rights about how their data is collected, used and stored – including the right to have data corrected or deleted.

Five things you need to know...

Jersey's Information Commission and Guernsey's Data Protection Commissioner will have the power to serve fines of up to £10 million

Where data is lost or stolen, the breaches will have to be reported to the regulator within 72 hours of discovery

You will no longer be able to compel employees to hand over health records, no matter what their contracts of employment state

Your right to compel employees or applicants to disclose criminal convictions is severely curtailed

Employees or former employees will have the “right to be forgotten” – so that, in some cases, they can demand that their data is deleted

Five things you need to do...

Review your records management systems and processes and appoint a Data Protection Officer if you process large amounts of data

Review and update your existing contracts, policies and handbooks – including policies in respect of social media

Create procedures or review any existing procedures regarding responding to SARs and governing the refusal of requests

Review your procedures for dismissal on ill health grounds in the light of the changes to rules on medical records

Issue privacy statements to all data subjects, including employees, setting out what data you hold about them, why you have it, and how it is held