GDPR Overview

This section provides information about using IRIS HR Professional to help you implement and manage the General Data Protection Regulation (GDPR). This section does not provide detailed information about GDPR itself, nor advice on processes and legal issues, as this is widely available from other sources.

Who should use this section?

Anyone responsible for GDPR implementation in your organisation, in particular those in the following roles:

• Data controllers, who must inform data subjects about how and why their data may be processed.

• Data processors, who may be taking on regulatory liabilities for the first time.

• Data protection officers, who your organisation must appoint if processing personal data on a large scale.

• CEOs and key business stakeholders, who need to build a solid strategic plan that addresses the challenges of GDPR.

About GDPR

GDPR came into effect on 25 May 2018 and replaced the Data Protection Act (DPA) 1998. This was the biggest change to UK data protection laws in over twenty years:

• GDPR harmonises data protection laws across the EU.

• GDPR applies to any organisation who processes the personal data of individuals in the EU in relation to offering goods and services, or else to monitor their behaviour.

• Employers must process personal data lawfully for a specific purpose and delete the information when that purpose is fulfilled.

• Employers who breach GDPR could face significant penalties, including fines of up to €20 million or 4% of the business annual turnover, whichever is greater.

• GDPR builds on the Data Protection Act 1988, introducing new responsibilities for organisations and new rights for employees.

• GDPR continues to apply to UK businesses for now, regardless of Brexit. Organisations directing products and services at EU citizens may still have a legal requirement to comply with the GDPR after the UK leaves the EU.