0345 300 6256 To arrange a free, no obligation meeting
Navigation Search
0345 300 6256
To arrange a free, no obligation meeting

Don't forget the new data protection regulations

30 November 2017

Unfortunately, last year’s referendum vote for Brexit has not provided any instant respite from new European regulations because anything that comes into force before we actually leave the EU has to be complied with in full at least until that point is reached.

There can therefore be no shying away from obligations under the General Data Protection Regulation (GDPR) which comes into force in the UK on the 25th of May 2018 – 10 months before the time currently scheduled for the UK to leave the EU.

The GDPR, which will be enforced by the Information Commissioner’s Office (ICO), builds on the existing UK Data Protection Act 1998, strengthening rules around personal data and requiring organisations to be more accountable and transparent. It also gives employees greater control over their own data.

Whilst some of the potential impact of the new regulation still remains uncertain, particularly with regard to how it will affect UK business post-Brexit, the basic messages are that it’s definitely coming in, it will have an effect on every business and it will require a fair bit of work.

The impression we’ve formed so far is that, whilst most large employers are on the case with the GDPR, many smaller ones are not. But the new measures will have a significant impact on how they run their employee benefits programmes and on data protection issues in other areas of their firms, and those who fail to comply could find themselves facing very steep fines.

So the need to start planning now and to draw up a transparent company policy for the GDPR cannot be stressed highly enough.

Fortunately, there are already some useful free tools out there to help SMEs get to grips with the issues involved. The ICO has become acutely aware of the need to assist organisations employing under 250 people and has made a range of resources available on its website, including a “12 steps to take now” guide.

This November the ICO also launched a useful new dedicated advice line for SMEs, to provide help for those who still have questions about the GDPR. Additionally, it can answer questions on current data protection rules and other legislation regulated by the IC0 – including electronic marketing and freedom of information.

Chase de Vere will be discussing data protection issues that are relevant to the employee benefits package at forthcoming client reviews but there are a number of potential pitfalls that we would like to draw attention to straight away.

In particular, we have noticed that providers are starting to say that security on self-select voluntary schemes isn’t tight enough. Employers will therefore have to do more work in this respect, especially in terms of providing further data on the users – so that providers can verify that users are who they claim to be.

Data access requests are another area to focus on. The new required response times are significantly quicker than under the old Data Protection Act, and those who distribute data to third parties must inform them that something needs to be changed and also inform the individuals concerned about the third parties the information has been disclosed to. Suitable processes must therefore be established. 

Additionally, we need to warn you that we will be responsible for some administrative inconvenience as we will, amongst other things, have to change our standard service level agreements. Data “processors” like Chase de Vere are now subject to specific legal obligations with regard to maintaining records of personal data and other processing activities, and we have significantly increased legal liabilities if we are responsible for any breaches.

However, employers should not make the mistake of believing this means they are relieved of their obligations when a processor is involved. Just because processors have more responsibility does not mean that data “controllers” have any less. Indeed, the GDPR places further obligations on controllers to ensure their contracts with processors are compliant.

SMEs who wish to find out more about how the GDPR will affect their business should visit the ICO’s website (www.ico.org.uk) and raise any queries via its new advice line (Tel: 0303 123 1113 – then select option 4).