TECHNOLOGY INSIGHT
GDPR – the clock’s ticking… Tim Musson, managing director at Computer Law Training Ltd, considers the implications, or lack of implications, of Brexit for the GDPR together with some of the principal changes which have particular relevance for those involved in payroll
T he world of data protection is going to change dramatically in 2018. From 25 May 2018 the new European Union (EU) General Data Protection Regulation (GDPR) will be enforced across and beyond the EU. What does this mean and why should an EU regulation matter to us? After all we have been told that ‘Brexit means Brexit’. Brexit Much of our law which originates from the EU is based on directives. Each member state creates its own law, which is essentially an interpretation of a directive. The United Kingdom’s (UK’s) current Data Protection Act 1998 (DPA) was created in this way. Normally there is a flexible timescale for member states to implement a directive, often permitting a delay of a few years. The GDPR, however, is different; it is a ‘regulation’, which means that it is law, as written, in all member states from the day it comes into force. The UK will, barring any unforeseen circumstances, still be in the EU on the 25 May 2018, so it will be
enforced here from that date, forming part of our legislation. This has been confirmed by the relevant Secretary of State. ...law, as written, in all member states from the day it comes into force At some point we will, presumably, leave the EU; all our laws will still be in place and the laborious process of repealing and changing laws will start. It’s unlikely that data protection will be at the top of the list, and, if it is eventually changed, for various reasons, any changes are likely to be very small. GDPR compliance is something we all need to start preparing for. Large organisations or those with complex data handling issues will find this very demanding. The relatively short timescale together with the current lack of official
guidance on interpretation of the GDPR add to the problem. The GDPR The basic principles of data protection won’t change, but the obligations are stronger and there is a lot of detail which changes current best practice to legal requirement. Organisations that already have good information governance policies and practice will be relatively well placed for GDPR compliance. Penalties The most obvious, and dramatic, change is the scale of potential penalties for data controllers. Under the DPA the maximum financial penalty which can be imposed by the Information Commissioner is £500,000. The maximum penalty under the GDPR is € 20 million (euros) or 4% of global turnover, whichever is the greater. Recently the Information Commissioner fined TalkTalk £400,000 for a data breach in 2015 (inadequate security measures and inappropriately retaining personal data). It has been estimated that this could
| Professional in Payroll, Pensions and Reward | December 2016/January 2017 | Issue 26 44
Made with FlippingBook Online document