Data protection and GDPR
All businesses have obligations to current and former employees, job applicants, and agency, contract and other casual workers under the Data Protection Act 1998. With the General Data Protection Regulation (GDPR) coming into force in May 2018, heavy penalties can be levied if you fail to comply with the law.
The current laws cover personal data that might be found in databases, manual filing systems, word processing programmes, emails, CCTV records, telephone records, internet use, payroll systems and records of when swipe cards have been used for automated door entry systems.
As a business, you should ensure that the data is fairly and lawfully processed, processed for only limited purposes, what is retained is adequate, relevant and not excessive, up to date, kept secure and for no longer than necessary.
The General Data Protection Regulations
The law has changed.
The GDPR came into force on 25 May 2018 and created a single framework for data protection and control across the EU to try to cope with the advances in and use of technology.
Businesses will have to take responsibility for protecting the personal data they hold with a focus on the individual’s consent to the data being kept and processed – it must be freely given, specific, informed and unambiguous. So the use of pre-ticked boxes indicating consent or ‘consent by default’ will be prohibited.
Employees will have much greater control of their personal data including the right to withdraw their consent to data being processed – and the right to be forgotten.
The Regulations impose further requirements, such as an obligation to impose contractual conditions on other businesses which may process the personal data of your employees.
The GDPR has tougher penalties for those in breach, including fines of up to €20 million or 4% of worldwide turnover, whichever is higher.
Does the GDPR apply to my business?
If your business was subject to the DPA , then it will also be subject to the GDPR.
The Regulations will remain relevant to UK businesses even after we leave the EU, given that the intention of the government’s Great Repeal Bill is to make all EU law in force at the time of our exit, UK law. Even if this were not the case, the GDPR will apply to any organisation which employs people to work within the EU, if they offer goods or services in the EU, or if they monitor the behaviour of customers or individuals within the EU.
How does this affect my employees and job applicants?
Under the DPA, your business is already expected to provide information to employees and job applicants about the collection of their personal data in a ‘fair processing/privacy notice’. Many do this in the form of their own data protection policy.
The GDPR requires prospective employers to include far more extensive information in these notices, including: information on your identity, how you intend to use the data, why it is being processed, how long the data will be retained for and how the employee or applicant can raise a complaint. In light of these additional requirements, you should review your data protection policies, or privacy notices to ensure that they comply.
Employees’ rights under the GDPR
Under the GDPR, your staff will have new and increased rights to object to the processing of certain data, to restrict how it is used and to have it corrected or deleted all together. If a valid application is made for data to be corrected or deleted, you must comply without delay. Employees will have the right not to be subject to decisions being made automatically – this is likely to apply to matters such as automated short-listing; performance management triggers for sickness absence; attendance bonuses; holiday or shift rostering.
Penalties under the GDPR
Breach of the GDPR could lead to onerous sanctions and heavy penalties.
Infringements of any of the basic principles for processing data and the rights of data subjects will attract maximum penalties of €20 million or 4% of the organisation’s total worldwide annual turnover, if higher.
Employers will also be required to notify the Information Commissioner of any data protection breaches within 72 hours of becoming aware of a breach resulting in unauthorised loss, amendment or disclosure of data – unless the breach is unlikely to result in a risk to the rights of employees.
If there is a high risk to your staff, you will have to let your staff know promptly. Failure to notify them of a breach could result in a fine – in addition to any sanction for the breach itself.
Subject Access Requests (SAR) under the GDPR
Businesses are already used to receiving SARs from employees. The GDPR expands an individual’s right to require you to delete, correct or restrict the processing of their personal data.
When responding to a SAR, employers will need to tell staff how long you expect to store their personal data for and give details of their right to require you to erase it.
You will have less time to respond to a SAR – without ‘undue delay’ and no later than one month from the request. The DPA required a response within 40 days.
Employers will no longer be able to charge the standard fee of £10 to process a SAR. Where a request is manifestly unfounded or excessive, you will be able to charge a reasonable administrative fee.
When you comply with the request for data, your staff will be given the right to require data is corrected or deleted (if it is no longer necessary to store it for the purpose for which it was obtained).
FREE first advice
Have you ever wanted to just ask an expert employment law solicitor if they can help you, without worrying about what it may cost to contact them?
Together we can work out what your next steps might be...in confidence, at no cost and with no obligation.