With GDPR coming into force on 25 May 2018, find out how you can get ready for GDPR from a HR perspective.
With GDPR (General Data Protection Regulation) coming into force on 25 May 2018, every business in the UK, including Licensed Premises, will need to get up to speed with the new regulation, Take note, there is no grace period. You must be compliant with GDPR by the commencement date.
This new regulation is not the status quo. If you are compliant under the Data Protection Act 1998 then this is a good starting point but most likely you will fall short of complying with GDPR.
The new regulation has teeth, and what we mean by this is that the ICO, under the new regulation, will have the authority to issue fines up to the greater of 20 million euros or 4% of world-wide turnover for breaches of GDPR. Under the Data Protection Act 1998 the maximum fine is £500,000. Given the significant increase in the potential fine for breaching GDPR, and the increased compliance measures required of data controllers (including Licensed Premises), it is imperative that you get your Licensed Premises in order, to ensure that your business is compliant with GDPR by 25 May 2018, or you may be facing the consequences of your inaction.
Not only do you need to be compliant with the new regulation, you need to be able demonstrate your compliance.
The first step to achieving compliance is by undertaking a data-mapping exercise. This involves reviewing all personal data that you hold and collect; determining whether the personal data is in fact necessary (as under GDPR you should not be processing more data than is necessary); and determining the legal basis for processing that personal data. There are six lawful basis for processing personal data. These are:
- Consent - i.e. the data subject has consented to you using their personal data.
- Contract - i.e. if you need the personal data to fulfil a contractual obligation.
- Vital interests - i.e. if you need the data to protect someone's life.
- Legal obligation - i.e. if you need to personal data to comply with a common law or statutory obligation.
- Public task - i.e. 'in the exercise of official authority' or to a specific task in the public interest that is set out in law.
- Legitimate interests - i.e. if you have a legitimate interest in processing the data in a manner that would reasonably be expected and which will have minimal privacy impact or where there is a compelling justification for processing.
There is often a condition on a premises licence regarding the requirement to have CCTV in place and enable the Police (or other third parties) to access CCTV footage if an incident occurs. CCTV footage records the images of employees and customers, which is personal data, and therefore falls within the scope of GDPR. Licensed Premises will now need to ensure that they are complying with both GDPR and the condition of their premises license.
Under GDPR there is a requirement to:
- Identify the legal basis, from the six detailed above, for recording and storing the CCTV footage; and
- Notify the individual of the personal data you are collecting at the point of data collection, the reason you are collecting that data and who the data may be shared with (amongst other information) in the form of a privacy notice.
Accordingly, Licensed Premises will need to take action to ensure that they have considered and recorded the legal basis for recording CCTV footage on the premises and thereafter prepare privacy notices to communicate this to the relevant data subjects at the point of data collection.
Licensed Premises will also need to take note of the personal data that they hold in respect to their workers and employees.
Under the GDPR regulations, you will need to show that there is a 'legitimate basis' for processing the employee's (or worker's) information. Under the Data Protection Act 1998 employers have generally relied on 'consent' within a contract of employment. This will no longer be sufficient under the GDPR. In most cases you will no longer be able to rely on consent as the legitimate basis for processing data. This is because under the new regime consent must be 'freely given' and it is deemed that this can't really be the case in an employer/employee/worker relationship, as there is no realistic option for the employee/worker to refuse consent.
Instead of relying on consent within the employment contract, employers will be required to have a 'Privacy Notice' that they share with employees and workers. There are quite a few statutory requirements for what the privacy notice must contain, but in summary it sets out how you will process employees and workers' data and what your legitimate reasons for doing so are. It also sets out information regarding data retention, how information is shared and a complaints process.
Obviously you will deal with job applicants as well as current employees/workers and you will need to have a privacy notice that applies to them as well. This will need to be shared with them at the point they apply for the job, as after that point you will be processing their data.
Accordingly, when GDPR comes into force on 25 May 2018, you will need to ensure that employment contracts are GDPR compliant and that you have an appropriate privacy notice in place to comply with your obligations under GDPR.
The GDPR brings with it various changes that you need to put in place by 25 May 2018.