Technology insight
have been as much as £73 million under the GDPR. There is also a lower level of penalty ( € 10 million or 2% of global turnover) specified for breaching certain articles of the GDPR. In several respects this level of penalty also applies to data processors who have no liabilities at all under the current legislation. Data protection principles The DPA states eight data protection principles and, while they do not exist in quite the same form in the GDPR, their requirements are all there. There is, however, one extra principle, the ‘accountability principle’, which states that “the controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1”, where paragraph 1 consists of all the other data protection principles. This sounds unexciting, but its implications are profound: it means that an organisation will need to create and keep very considerable amounts of documentation, relating to policies, procedures, processes, records of decision making and training records. If someone complains to the Information Commissioner’s Office (ICO) about a data protection issue it is likely that ICO will visit and ask to see all of this. While many public sector organisations are already fairly well-placed in terms of this documentation it is a different story in the private sector. The requirements of the current eighth data protection principle, which relates to international transfers of personal data, are virtually unchanged. At the moment,
Compulsory breach reporting brings the EU in line with much of the rest of the world. Data protection officers Certain organisations will be required to have data protection officers (DPOs). This will apply to all public bodies and to those whose core activities consist of large scale processing of personal data involving the monitoring of data subjects or processing sensitive personal data. Again, the exact interpretation of this is not yet clear, but it will almost certainly include providers of human resources and payroll services. The catch here is that a DPO is required to have a high level of data protection expertise, must not be told what to do by the employer, must report directly at board level and must be given adequate resources (including any necessary training) to do the job. Appointing a DPO is a very scary business – as is accepting the job. Other changes There are many other changes to be introduced by the GDPR. Requirements for obtaining consent for processing personal data will be very much stricter. In certain circumstances it will be obligatory to carry out a privacy impact assessment and possibly even get approval from the ICO before commencing processing. The amount of information which must be given to a data subject when collecting personal data is collected is increased, giving greater transparency for processing. Organisations anywhere in the world processing personal data of people in the EU to offer goods or services will be required to comply. As a result of these changes public perception of data protection is likely to change with the GDPR. Firstly, the massive increase in potential, and presumably actual, penalties will attract media and public attention. Added to this, the stronger, clearly named data subject rights will make people much more aware of their rights. Organisations are much more likely to receive requests under these rights – the right of access, the right to rectification, the right to erasure, the right to restriction of processing and the right to object. Good information governance will make it easier to respond to these requests. Start thinking about compliance now. n
subsequent to a decision made by the Court of Justice of the European Union in 2015, concerning the ‘safe harbor’ agreement between the EU and the United States of America, the whole issue of international transfers is in disarray and legal mechanisms used are open to challenge. This looks unlikely to change in the near future. ...will almost certainly include providers of human resources and payroll services Breach reporting Currently in the UK, apart from electronic communication providers, there is no requirement to report a breach of personal data, although self-reporting usually encourages the ICO to take a more lenient approach. Under the GDPR a data controller must report a personal data breach to the ICO within 72 hours of being aware of it, and a data processor must report it to the data controller ‘without undue delay’. If the breach is likely to result in a high risk to data subjects then they must also be informed, unless the data is encrypted. The meaning of ‘high risk’ is still to be determined. Nobody wants to tell data subjects their data has been breached, so this is an excellent argument for encrypting data.
45
Issue 26 | December 2016/January 2017
| Professional in Payroll, Pensions and Reward |
Made with FlippingBook Online document