General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is new legislation from the EU that comes into effect on 25/05/2018.

It will be included in British Law irrespective of Brexit. The law is intended to harmonise data privacy laws across Europe and to give additional power to prosecutors and increased protection for European citizens.

Overview General Data Protection Regulation Changes
Increased Territorial Scope – The biggest change is the extended jurisdiction of the GDPR as the new law will apply to all companies processing the personal data of subjects residing in the EU regardless of the company’s location.

Penalties – Organisations found to be in breach of GDPR can be fined 4% of annual turnover or €20 million (whichever is greater).

Consent – Conditions for consent have been strengthened meaning companies will no longer be able to use long illegible terms and conditions full of legalese. Consent must be given in an easily intelligible and accessible form.

Rights of Data Subjects
Breach Notification – Companies must notify the relevant authorities within 72 hours of first becoming aware of a breach if “a breach results in a risk for the rights and freedoms of individuals”. Data processors must also notify their customers.

Rights to Access – Individuals have the right to obtain from the data controller whether or not personal data about them is being processed, where and for what purpose.

The data controller must upon request provide the individual with a copy of their associated data in electronic form.

Right to be Forgotten – Also referred to as Data Erasure, the data subject has the right to request the data controller to erase his/her personal data, cease further dissemination of the data and potentially have third parties halt processing of the data.

The conditions for being forgotten are the data no longer being relevant to its original purpose or the withdrawal of consent by the subject.

Privacy by Design – This refers to the technical design of the data collection system, the law stipulates that the design of the system should “protect the rights of data subjects”.

So now the technical stuff is out of the way, how does GDPR affect payroll?

  • If your payroll data is breached by hackers or a non malicious breach of data you must notify the relevant authorities within 72 hours.
  • The details of individuals that you have previously processed payroll for but are no longer your employees have the right to request you delete the data about them. It is also sensible to have a policy to delete closed accounts after a reasonable period of time.
  • You must cast a critical eye on the ways that you collect data and establish whether your business complies with the Privacy by Design clause of the new law.