By Roselyn Borg

This article was published on the Malta Independent online on 25th May 2018

The big day has arrived and I am not referring to the royal wedding of Harry and Meghan that so many people have looked forward to. To the contrary I am referring to what many would describe as the “dreaded day”, that is today, the date when the General Data Protection Regulation (GDPR) comes into force.

There is no doubt that many of us have heard about GDPR. Social media as well as a number of publications have in some way, shape or form made reference to GDPR and everyone’s mailbox has been bombarded with requests for consent or information about updated Privacy Notice’s and Policies. This does not necessarily mean that all companies sending this email got it right – in actual fact most GDPR emails are pointless and some actually illegal. In summary, if the company had consent to communicate with you (the data subject) before GDPR, the consent given, most probably still holds, and even if this does not there are other reasons a business can rely on in order to be able to continue to process data. On the other hand if a company never had consent to contact you nor did it have a business relationship with you but is sending you an email to acquire consent then such communication is illegal.

Some companies are in panic mode and feel that they did not have enough time to prepare but let us put things in context – after four years of discussion, GDPRwas officially adopted by the European Union in 2016. The regulation gave companies a two-year runway to get compliant, which is an adequate time to get compliant. The reality cannot be further from this fact. Like getting your VAT paperwork done – there are those of us who plan and get it done early and in time and then there are the rest who leave it to the last minute and even submit it past the deadline or not submit it at all!

Hence, in essence what isGDPR all about? GDPR is a regulation that requires businesses to protect the personal data and privacy of EU citizens. And we cannot ignore the fact thatnon-compliance could cost companies a lot of money. In truth this is what is really worrying companies.

GDPR brings outdated personal data laws across the EU up to speed with an increasingly digital era and for those companies who have complied with the previous law this new law should be, as stated by the UK’s Information Commissioner “….an evolution, not a revolution”. However the reality is that many Maltese companies have not been complying with the old law and hence this law has meant a big culture change and has also meant addressing all the gaps to be in line with the new law. This in itself is a burdensome task costing companies not just money but also their precious time.

GDPR establishes new rights for people to access the information companies hold about them, obligations for better data management for businesses, and a new regime of fines. It affects all the departments in a company from Finance to Human Resources to Information Technology and the rest.

If we were to focus on the human resources aspect, clearly employers process a lot of personal data on a day to day basis. This can be for various reasons, including but not limited to, recruitment and background checks, payroll, training and health and safety. Furthermore the types of personal data processed are hugely wide ranging as well and include disciplinary matters, personal and health information and much more. Hence employers too need to ensure that the data they hold about their employees and the information rights employees have are in line with this new law.

Covering such a burdensome regulation in one article would be ambitious yet it would also be foolish to ignore this law and if your organisation has done nothing yet, it is best to start now rather than dig your head in the sand believing it won’t come back to bite you.

You can view the uploaded article here –