Data Protection: new obligations for employers
Proposed changes to data protection provisions are due to come into force next year, and they will be of particular interest to employers and HR professionals. As announced in the Queen’s Speech, the Data Protection Bill (which has not yet been published) will implement the EU General Data Protection Regulation (GDPR) and replace the current Data Protection Act 1998.
The aim of the Data Protection Bill is to ensure that the UK maintains a world-class data protection regime that is fit for the digital age and allows individuals greater control over their data. It also aims to assist with putting the UK in the best position to “maintain our ability to share data with other EU member states and internationally after we leave the EU”. The GDPR seeks to implement a common set of rules across the EU, but the UK will have the power to introduce further legislation in the context of employment.
As the Data Protection Bill has yet to be published, the detail of the final provisions is not yet clear. However, employers should have an overview of some of the key provisions of the GDPR now and become familiar with some of its main principles.
For employers, the key area of change is likely to centre around employee consent to the processing of their data. It is common practice for employers to include a clause in the contract of employment which is then signed by the employee to signify their consent to the processing. However, it is likely that under the new provisions, this will not be sufficient. The GDPR includes stricter conditions on the use of consent. In particular, consent must be freely given, which will not be the case where there is no genuine free choice. As employment contracts are generally issued at the start of employment with no opportunity for negotiation, this may mean that consent is not effective.
In addition, employers will need to provide employees with more detailed information than under current provisions about the processing of their data and the legal basis for that processing. Employers will need to explain, for example, the source of the data, who will receive it, the period for which it will be stored, the existence of data subject rights (including the right to be forgotten), the right to withdraw consent and the right to complain.
Data subject rights will also be extended. They will include the right to be forgotten (for data to be erased), the right to rectification (where data is inaccurate or incomplete) and the right to object to the processing. Employers will be required to provide information about those rights to employees. The £10 fee that an employer can currently require to comply with data subject access requests will be abolished, although an employer may be able to charge a “reasonable fee” where a request is “manifestly unfounded or excessive”. The current period of 40 days in which an employer has to respond to the request will also be changed to one month, with a possible extension if necessary, taking into account the complexity of the request.
There will also be an obligation on employers to notify the regulator promptly and within 72 hours of any personal data breach. This could include, for example, an employee leaving a laptop on a train or sending emails to the wrong person. This requirement will not apply if the breach is unlikely to result in a risk to data subjects, however.
The new data protection provisions will have a key impact on employers, who will have a duty to comply with the data protection principles and also to demonstrate that compliance. As the GDPR carries much tougher penalties for non-compliance than under current legislation, with fines of 20 million euros or 4% of an undertaking’s worldwide turnover (if that is higher), it will be crucial for employers to become fully aware of the new provisions as and when they are published and review their compliance procedures.
At our next employment law update we will be exploring the GDPR in detail, and highlighting the impact that this will have on employers. The update will be taking place on 23 January 2018, so save the date!
27 July 2017
©2017 SCRASE LAW LTD. THIS POST IS FOR GENERAL INFORMATION ONLY AND IS NOT ADVICE. YOU ARE RECOMMENDED TO SEEK COMPETENT PROFESSIONAL ADVICE BEFORE TAKING ANY ACTION ON THE BASIS OF THIS POST.