Changes to Data Protection Laws
Data protection – granted, not the juiciest area of employment law for employers to deal with – will undergo extensive changes next year which will affect every employer in the country.
The European General Data Protection Regulation will be introduced in May 2018 but employers are being urged to begin to take practical steps now to ensure they are not caught unawares next year.
What Is Data Protection?
The Data Protection Act 1998 provides a structure to ensure that data processors process the data of their subjects in a lawful way. Employers are, for these purposes, data processors and the data subjects are their employees.
‘Data’ is information that is processed by means of computer or recorded in a relevant filing system. It is further classified as ‘personal data’ which is information from which the identity of the individual to whom it relates can be identified, and ‘sensitive personal data’ which is data relating to, amongst other things, a person’s race, any disability, sexual orientation, health condition etc.
The Act creates 8 data protection principles which employers must stick to when processing data. Employers must, for example, ensure data is kept accurate and up to date, be processed fairly and not kept for any longer than necessary.
What is Changing?
Some of the main changes affecting employers from May 2018 will be:
- Employers must obtain explicit consent from employees to processing their data. Reference to consent which is buried within an employee handbook will not be sufficient. Employees must also be informed of their right to withdraw consent.
- Employers dealing with subject access requests (where employees request sight of the personal data kept on them) will no longer be able to charge the employee £10 as standard. Charges may only be applied where the request is excessive.
- Information requested in the subject access request must be provided by employers as soon as possible and within a month at the most. Currently, a 40 day deadline applies.
- Breaches of data protection laws will carry a fine of up to the highest of 4% of annual global turnover or €20 million.
- Data protection risk assessments must be carried out when employers begin a new project or new strategy.
- Breaches will have to be notified within 72 hours.
What Should Employers Do Now?
The Information Commissioner – the body which presides over data protection in Great Britain – has issued guidance for employers on how to prepare for the changes. Amongst other things, it suggests employers:
- Make themselves aware of the changes and the impact they will have.
- Document what personal data they hold and how they share it.
- Determine where changes will be needed to relevant company documentation.
- Plan how they will need to deal with subject access requests.
- Review how consent to processing is obtained.
Now we are a little more knowledgeable of the Brexit timeline, it is appropriate to consider its impact on this new legislation. For as long as the UK remains in the EU, it must comply with EU legislation. However, it is plausible that the UK Government will make changes to this law once it has left.