Are you GDPR-ready?

The General Data Protection Regulation (GDPR) is due to come into force on 25 May 2018, giving businesses less than a year to get to grips with the planned changes.
The ‘right to be forgotten’ will be entrenched into national legislation once the GDPR comes in. When most people think of this, they think of Google removing links from search engine results, but the right to be forgotten could also affect information held on file about employees. So if someone receives a disciplinary warning for something, once the warning is spent, those records should not be retained. However, this is only limited to circumstances when an employee requests to use that right. It is not a wholesale rule. So organisations need to have a process in place to deal with requests.

The rules around subject access requests (SARs) are changing too. At the moment, companies have 40 days to respond, but this goes down to a month under the GDPR. The fees organisations can charge for SARs, currently a maximum of £10, will also disappear under the new regulation so this means that there may be a rise in the number of requests received.

GDPR stems from the EU but ministers have already confirmed that the law will be enacted in the UK regardless of Brexit so businesses need to be GDPR-savvy.