The General Data Protection Regulation (GDPR) was enforced on the 25^th May 2018, which applied major changes to the way data is protected, enabling employers to reconsider their employment and HR procedures, and amend them in order to comply with GDPR requirements.

 Employers should maintain focus on the following factors:

What are the necessary steps to take when an individual is served a disputed statutory demand?

One option is to contact the creditor to dispute the statutory demand, which will lessen costs for both parties, however a statutory demand must be responded to within 21 days, therefore this could be problematic if a response is not received from the creditor within this time frame.

If no response is received from the creditor, then the next step is to submit an application to the appropriate court (Usually the court that set out the statutory demand itself) to set aside a statutory demand under the recent Insolvency Rules (6^th April 2017).

The EU General Data Protection Regulation (the “Regulation”) came into effect on 25 May 2018, replacing the Data Protection Act 1998. The GDPR requirements largely repeat the security principles set out in the DPA, although with a much tougher regime and more severe sanctions for breach.

This change has brought about business challenges for which there is little, if any, legislative or regulatory clarity at present.

 1. How does controllerand processorliability work in practice? 

What is the minimum amount of demanded debt in a statutory demand?

For corporate debtors the minimum amount is £750.

For individual debtors the minimum amount is £5,000 – Under the Insolvency Act 1986 (Amendment Order 2015) which was revised on 1^st October 2015.

Although the sum of £750 still applies to bankruptcy petition prior to 1^st October 2015.

Morrisons has become the latest supermarket chain to come under fire regarding equal pay, which could result in the well-established company facing up to £1 billion worth of fines.

The London-based law firm, Leigh Day announced their intentions to submit a claim with the employment tribunal for eight of Morrison’s employees - mainly female - who are under the impression that they are being paid far less than employees located in Morrison’s warehouses, who are mostly male.

The law firm confirmed that their estimates of £1 billion stem from the additional employees who may potentially make a claim. As Morrisons currently has around 80,000 staff working in stores, who may have experience equal pay discrimination and will want to bring a claim against the retailer.

Article 28 of the General Data Protection Regulation (GDPR) states the conditions of a data processing agreement between the data controller and the data processor.

Recently, this agreement has been brought in to question, regarding its workability and whether it is actually working in the way it is prescribed in the GDPR requirements. https://gdpr-info.eu/art-28-gdpr/

Organisations are usually established as the data controller, and the program they use acts as the data processer, i.e. Microsoft One Drive for Business, which is utilised by various companies. In accordance with Article 28 of the GDPR, an organisation should have a controller-processor agreement with their chosen software, which would usually be dictated by the data processor.

GDPR gives individuals the right to have their personal data deleted, although this is not an 'absolute' right. If you still need to retain the personal data concerned, you may be able to refuse the request. Moreover, the right to erasure does not mean you erase all the data if you have a need and legitimate interest basis to process their data for audit records. If you cannot erase data (for example, there is a legal requirement to keep certain records for 6 years) then consider restricting the processing, such as moving to archiving.

The data minimisation principles should also be applied, together with an appropriate retention period. Ensure that you inform the data subject as to what data you are keeping.

It is unlawful to discriminate against anyone for their religion or belief, as well as an individual’s lack of religion or belief, in accordance with the Equality Act 2010.

In a work environment, all employees should be protected against discrimination of their religious faith or philosophical belief. This ensures that all aspects of religion and philosophy are equal, and that one employee’s faith or belief does not dominate another, including their superiors’ religion or belief.

In respect of philosophical beliefs, an individual or group must show substantial evidence of their belief system being a dominant aspect in their lives. This should also ensure that their belief does not conflict with the fundamental rights of their colleagues. The main focus areas to consider when dealing with religion or belief discrimination include:

A Subject Access Request (SAR) is a written request from an individual, in relation to their access to information, which they are entitled to ask for under the Data Protection Act.

There has been some debate on what must be included in an SAR:

Recently in relation to the inclusion or exemption of confidential references. As previously, under the Data Protection Act 1998, employees had the right to access their personal information, including references from current or former employers, although employers did have the right to refuse disclose of this information to the employee. In this instance, an employee could overrule the employer’s decision by applying to the recipient employer regarding their reference, whereby the employer could not decline disclosure.

On some occasions, an EU subject may require a Subject Access Request (SAR) which involves a transaction outside of the EU. Therefore, data processors must be aware that a data controller outside of the EU will not necessarily give up any or many obligations to the General Data Protection Regulation (GDPR).

So, the question is whether data processors need to address the Subject Access Request without the controller or not?

Superdrug have recently announced that they have been the target of a data hack, with a warning to customers that their personal data may have been stolen.

The health and beauty chain admitted that they had been contacted by someone who appears to be a hacker, claiming that they have obtained personal data from approximately 20,000 customers.

A spokeswoman from Superdrug stated:

“The hacker shared a number of details with us to try and prove he had customer information – we were then able to verify they were Superdrug customers from their email and log-in”.

The company also confirmed that 386 accounts had been access, including customers’ names, addresses, data of birth, phone number, and Superdrug balance points, however luckily no card information was obtained.

They sent out an email to their customers, in addition to a confirmation on Twitter stating:

Data protection is a term to over-arch the mitigation against failures in protection (confidentiality), accuracy (integrity) and access (availability) that can cause an impact to data subjects and ultimately, your business. Compliance is about the governance of the GDPR, and non-technical measures to adopt and adapt.

 Risk-assessments enable the decision-makers consider everything from contractors leaving with passwords and insider-knowledge and lead to changes in technology, anonymisation of databases, deletion of old, unnecessary records, role-based access to customer data and so on. 

But what about technical support and access to customer data, particularly when required on a large-scale? What measures are available to manage, minimize and control this?

Redundancy is the process in which an employee is dismissed for the following reasons:

• Relocation - if the organisation relocates to an inconvenient location for the employee then they qualify for redundancy.
• Cessation – when an employer decides to cease business or close part of the business where an employee works.
• Surplus labour – when employers’ need to downsize their staff for various reasons including the introduction of labour-saving devices or re-organisation of the business.

• THE RIGHT TO BE FORGOTTEN

   

  Companies need to consider what technical measures they can take in an effort to adhere to the data subject's right to erasure, or 'right to be forgotten'.

  Anonymisation ensures that the anonymised data is no longer identifiable to a person. Therefore, it is no longer considered personal data under GDPR. Where anonymisation has been done, and a subject access request (SAR) follows, you would be then able to explain that you no longer have personal data related to that subject on your database. That said, anonymised data is very hard to achieve perfectly and leaves some risk unless performed properly.

• TOP TEN GDPR PRIORITIES

   

  

  1. Manage expectations - GDPR ‘compliance’ is a matter of constant review, adoption of policies and adaption of processes. Plan, develop and sustain.

   

  2. Continued awareness and training for staff.

   

  3. Update your privacy policy, consent capture and recording.

• UP TO DATE INSOLVENCY RULES

  

  The most recent Insolvency Rules (IR) came in to place on 6^th April 2017, with the intention of modernising and streamlining the initial process. This involved cutting costs on insolvency, as well as consolidating previous amendments, and ensuring that the language used is both modern and gender-neutral for the people of England and Wales.

  Under the Insolvency Rules 1986 (Amended on 6^th April 2017) came the abolition of statutory forms, which were replaced by specific forms, where prescribed information could be contained.

  The changes to the new IR include: