What is the GDPR?
The GDPR is a European Directive which applies to the processing of personal data through automated and non-automated means.
The Data Protection Act 1998 (DPA) currently regulates how and when employers can process their employees’ personal and sensitive data. Although there are similarities between the DPA and the GDPR, there are some key differences that employers need to be aware of.
What are the fundamental principles of the GDPR?
Employers must adhere to the GDPR’s seven principles when processing their employees’ data. They are:-
To an extent, the above simply reflects best practice, which, generally speaking, any employer currently meeting DPA requirements will meet.
The Information Commissioners Office (ICO) has provided guidance on its website for employers and further guidance on some of the specific aspects of the GDPR are anticipated.
What are some of the Key Changes being introduced by the GDPR?
Controller responsibility (principle seven) - Although this is implicit in the DPA, the GDPR explicitly requires data controllers to demonstrate that the organisation is meeting its requirements. This could be achieved, for example, through the introduction of tangible policies and procedures to evidence the steps taken.
Personal Data - The definition has been expanded to include both automated personal data, (such as e-mail addresses), and manual filing systems where personal data are accessible according to specific criteria. “Sensitive” personal data has also been redefined as “special categories of personal data”.
Consent – It is not uncommon for employers to rely on relatively passive means of gathering employee consent through, for example, tick boxes or inaction. This will no longer be sufficient. The GDPR requires consent to be i) freely given, ii) specific to an identifiable issue, iii) informed. Employers must also verify how and when the consent was given and should be aware that consent can be withdrawn.
Privacy notices - Controllers must provide employees with concise and intelligible information about how their information is processed. This must be provided in clear, plain language without charge.
Subject Access Requests – these are currently permitted under the DPA. However, under the GDPR, employers will no longer be able to charge the nominal (£10) fee (although a 'reasonable fee' may be charged in certain circumstances), and requests must be responded to 'without delay' or, at the latest, within one month. The employer must also take ‘reasonable measures’ to identify the person making the request and is encouraged to provide remote access to a secure self-service system to access the information.
Erasure of information - Under the DPA, employers can be required to erase information that causes “unwarranted and substantial damage or distress”. No such damage or distress needs to be shown under the GDPR. This is not, however, an automatic right and employers can refuse to delete the information in specific circumstances.
Automated decisions – under the DPA, employees can require that no automated decisions are made using their personal data. Under the GDPR, this will be an automatic right and no notice needs to be given.
Data protection impact assessments (DPIA) – these help organisations identify the most effective way to comply with their data protection obligations. Although they represent best practice, they are not currently obligatory. Under the GDPR, DPIA assessments must be carried out when new technologies are being used which could result in a high risk to the rights and freedoms, such as, for example when using CCTV.
Breach notices – all organisations must report certain types of data breaches to the relevant supervisory body within 72 hours.
Transfer of Data outside the EU – this will only be permitted in limited circumstances such as if the country to which the data is to be transferred is approved by the European Commission or complies with the GDPR.
What should employers do now to prepare for the GDPR?
The ICO has provided a checklist of 12 steps that employers should consider taking now in preparation for May 2018. These include:-
The above is only a summary of some of the key issues for employers to consider in advance of the introduction of the GDPR. If you have any questions, please contact Debbie Sadler on 0118 957 5337 or at firstname.lastname@example.org.
Published on 13/04/2017