Gender pay gap data is a walk in the park compared to the requirements of GDPR. This new EU legal framework is similar to the existing UK Data
Protection Act 1998 (DPA), but with some key differences. GDPR comes into effect from 25 May 2018 and applies to both data controllers and processors. The definitions of both remain broadly similar as under DPA. The new legislation means processors have specific legal obligations such as the maintenance of personal data records and processing activities. Controllers have more responsibilities and must ensure their contracts with processors are GDPR-compliant. Breaches will also bring far greater liabilities than in the DPA – the penalties will be many times higher than under DPA and could total 4% of a company’s turnover from the previous year.
This means almost every activity attracts a liability. You must be sure to view not only each piece of data but also the flows of data in order to understand where it is coming from and where it is going. GDPR also extends beyond automated personal data to include manual filing systems where personal data is accessible under certain conditions. Sensitive personal data includes genetic and biometric data that is used to identify individuals. If your organisation complies with DPA, that doesn’t mean it will comply with GDPR. And Brexit won’t make things easier. European companies must comply with GDPR and will insist the UK companies they trade with are also compliant.