The General Data Protection Regulation

What is the GDPR?

The GDPR is a European Directive which applies to the processing of personal data through automated and non-automated means.

The Data Protection Act 1998 (DPA) currently regulates how and when employers can process their employees’ personal and sensitive data. Although there are similarities between the DPA and the GDPR, there are some key differences that employers need to be aware of.

What are the fundamental principles of the GDPR?

Employers must adhere to the GDPR’s seven principles when processing their employees’ data. They are:-

  1. Personal data must be processed lawfully, fairly and in a transparent manner.
  2. Personal data must be collected for specified, explicit and legitimate purposes only.
  3. Personal data must be adequate, relevant and limited to what is necessary
  4. Personal data must be accurate and, where necessary, kept up to date. Inaccurate data should be erased or rectified without delay
  5. Personal data must be kept for no longer than is necessary
  6. Personal data must be processed securely
  7. The controller shall be responsible for, and be able to demonstrate, compliance with the principles.

To an extent, the above simply reflects best practice, which, generally speaking, any employer currently meeting DPA requirements will meet.

The Information Commissioners Office (ICO) has provided guidance on its website for employers and further guidance on some of the specific aspects of the GDPR are anticipated.

What are some of the Key Changes being introduced by the GDPR?

Controller responsibility (principle seven) - Although this is implicit in the DPA, the GDPR explicitly requires data controllers to demonstrate that the organisation is meeting its requirements. This could be achieved, for example, through the introduction of tangible policies and procedures to evidence the steps taken.

Personal Data - The definition has been expanded to include both automated personal data, (such as e-mail addresses), and manual filing systems where personal data are accessible according to specific criteria. “Sensitive” personal data has also been redefined as “special categories of personal data”.

Consent – It is not uncommon for employers to rely on relatively passive means of gathering employee consent through, for example, tick boxes or inaction. This will no longer be sufficient. The GDPR requires consent to be i) freely given, ii) specific to an identifiable issue, iii) informed. Employers must also verify how and when the consent was given and should be aware that consent can be withdrawn.

Privacy notices - Controllers must provide employees with concise and intelligible information about how their information is processed. This must be provided in clear, plain language without charge.

Subject Access Requests – these are currently permitted under the DPA. However, under the GDPR, employers will no longer be able to charge the nominal (£10) fee (although a 'reasonable fee' may be charged in certain circumstances), and requests must be responded to 'without delay' or, at the latest, within one month. The employer must also take ‘reasonable measures’ to identify the person making the request and is encouraged to provide remote access to a secure self-service system to access the information.

Erasure of information - Under the DPA, employers can be required to erase information that causes “unwarranted and substantial damage or distress”. No such damage or distress needs to be shown under the GDPR. This is not, however, an automatic right and employers can refuse to delete the information in specific circumstances.

Automated decisions – under the DPA, employees can require that no automated decisions are made using their personal data. Under the GDPR, this will be an automatic right and no notice needs to be given.

Data protection impact assessments (DPIA) – these help organisations identify the most effective way to comply with their data protection obligations. Although they represent best practice, they are not currently obligatory. Under the GDPR, DPIA assessments must be carried out when new technologies are being used which could result in a high risk to the rights and freedoms, such as, for example when using CCTV.

Breach notices – all organisations must report certain types of data breaches to the relevant supervisory body within 72 hours.

Transfer of Data outside the EU – this will only be permitted in limited circumstances such as if the country to which the data is to be transferred is approved by the European Commission or complies with the GDPR.

What should employers do now to prepare for the GDPR?

The ICO has provided a checklist of 12 steps that employers should consider taking now in preparation for May 2018. These include:-

  • Starting to document information held in order to ensure compliance with the seven principles;
  • Review the wording of current privacy notices and update as necessary;
  • Check whether automated decision making is taking place and review as necessary
  • Check policies and procedures to ensure that they are compliant with GDPR and introduce policies and procedures where necessary to meet its requirements
  • Identify the legal basis for processing personal data
  • Review how and when employee consent to process data is sought and consider whether this meets the stricter requirements of the GDPR

The above is only a summary of some of the key issues for employers to consider in advance of the introduction of the GDPR. If you have any questions, please contact Debbie Sadler on 0118 957 5337 or at d.sadler@hewetts.co.uk.

Published on 13/04/2017

Hewetts News

25/10/2018: The Importance of Trade Marks

Defendant ordered to pay £142,044 as a result of infringement of trade marks. Read +

04/10/2018: No Fault Divorce

Is No-Fault divorce finally on the cards? Read +

More News...

Request a Callback

×

Please provide the following information and we'll arrange for one of our solicitors to give you a call-back within the next 2 working days.