As of 25 May 2018, the General Data Protection Regulation (GDPR) will reform data protection and privacy laws not only in Europe but across the Channel Islands.
The new rules:
- Create new responsibilities for employers about how they collect, use or store information about their staff
- Give employees new rights about how their data is collected, used and stored – including the right to have data corrected or deleted.
Five things you need to know...
Jersey's Information Commission and Guernsey's Data Protection Commissioner will have the power to serve fines of up to £10 million
Where data is lost or stolen, the breaches will have to be reported to the regulator within 72 hours of discovery
You will no longer be able to compel employees to hand over health records, no matter what their contracts of employment state
Your right to compel employees or applicants to disclose criminal convictions is severely curtailed
Employees or former employees will have the “right to be forgotten” – so that, in some cases, they can demand that their data is deleted
Five things you need to do...
Review your records management systems and processes and appoint a Data Protection Officer if you process large amounts of data
Review and update your existing contracts, policies and handbooks – including policies in respect of social media
Create procedures or review any existing procedures regarding responding to SARs and governing the refusal of requests
Review your procedures for dismissal on ill health grounds in the light of the changes to rules on medical records
Issue privacy statements to all data subjects, including employees, setting out what data you hold about them, why you have it, and how it is held