GDPR’s: Data protection law is about to go through its biggest shake-up since 1998!
Data protection law is about to go through the biggest shake-up since the introduction of the Data Protection Act in 1998. The General Data Protection Regulations (commonly known as “GDPR”) came into force in May 2016, and, regardless of Brexit, they will be transposed into UK law on 25 May 2018. They radically overhaul data protection in the UK, and there are changes of which all employers need to be aware.
In summary, the GDPR’s changes include:
- making it easier for people to withdraw their consent for their personal data to be used;
- requiring companies to obtain explicit consent when they process sensitive personal data (i.e. there has to be an ‘opt in’ rather than an ‘opt out’ and it must be very simple to understand);
- allowing people to obtain the information organisations hold on them much more easily;
- providing the right to free access to that information;
- Making the definition of ‘personal data’ much wider to include data such as IP addresses and biometric data;
- providing data subjects with increased rights to claim compensation for breaches such as where “other adverse effects” are suffered beyond financial loss or distress.
Importantly, the GDPR’s will create new criminal offences:
- intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data;
- altering records with an intent to prevent disclosure to a data subject following a subject access request;
- unlawfully obtaining or disclosing personal data without the data controller’s consent.
There are also new maximum penalties of 4% annual global turnover or up to 20m Euros (whichever is higher) where there is a failure in compliance.
It is particularly important that employers are aware of their responsibilities and liabilities because the GDPR’s will affect them considerably. Businesses are likely to process significantly more data in relation to employees than in other contexts. Just by way of example, employers may process data on workers including:
- CCTV film on their arrival at/leaving work (or even while at work);
- lift or floor access information;
- data on computer log on;
- sickness records and information;
- financial information;
- sensitive personal information;
- data on websites visited, phone calls made and emails sent or received.
Furthermore, much employment data is likely to be unstructured. Employers who have dealt with complex subject access requests will be aware of the challenges in handling such requests. For example, the text of an email may contain personal data about the sender, the recipient or a third party. Some of that data may be sensitive personal data, or even sensitive personal data about a child (for example “Sorry, can’t make the meeting, my daughter has chickenpox”).
The rules are changing and, to make matters more complicated, at the time of writing this article, Parliament hasn’t even been able to agree on the final version. In short, we’re close to 6 months away from the biggest changes in data protection this century and we’re still uncertain as to how they will operate in practice. It’s drafting has been described as ‘ugly and complex’. The Government has said “the Bill carefully protects privacy while allowing for important exemptions such as protecting the freedom of the press, safeguarding children and maintaining the integrity of professional sports” but the opposition has tabled amendments which the Government describes as “reckless” and placing “all the exemptions at risk”.
With all this taking place, employers could be forgiven for burying their heads in the sand and taking a ‘wait and see’ approach. The difficulty with this approach is the timing – there are going to be significant changes and it is better to be prepared in advance, particularly given to the penalties for failure in compliance.
Employers will need to have data protection policies in place, and be able to show that they have implemented the policy e.g. through staff training, audits of data processing and so on. Matters to consider in advance include:
- Reviewing contracts of employment, handbooks and policies to ensure the GDPR’s are complied with. In particular, ensure the proper consents are in place;
- Identifying all existing data systems and the personal data processed;
- Ensuring the resources are in place to prepare for change by Identifying who takes overall responsibility and ensure that they have the time and support to plan for the reforms;
- Reviewing/ introducing fair-processing information/privacy notices given to employees (and job applicants);
- Assessing whether the business currently uses consent to justify processing;
- Establish a policy for handling data breaches and on retention and storage of data (including emails).
DC Employment Solicitors will keep you updated as the matter unfolds and Daryl Cowan and Darren Tibble (partners at DC Employment Solicitors) will be providing training on the GDPR’s at the CIPD ‘Employment Law Update: The General Data Protection Regulation (Southampton Group)’ event being held on Wednesday 6 December 2017.