Data Protection rules are changing
Data Protection rules are changing
In May 2018 a new European Regulation will come into force - the General Data Protection Regulations (GDPR). As this is a Regulation and not a Directive, the changes will apply automatically into UK law. The key area that will change for employers is the element of 'consent' in the provision of employee data. The other key feature of the new changes are the eye watering fines for getting it wrong. Fines will be either 20mEuro (£17m in the UK) or 4% of gross global turnover, whichever is the greater. The UK Information Commissioner has, however, said that large fines will not be the norm, and will be saved for the most serious of breaches, which is reassuring!
Another change is that data processers are now subject to the same penalties as data controllers, which may have an impact on organisations who process data for third parties.
Under the existing UK Data Protection Regulations, employers obtain consent from employees to process data usually by a relevant clause within the contract of employment or statement of terms and conditions of employment. This also obtains consent to enable the processing of 'sensitive' personal data such as absence and health records. Under the new Regulations, consent must be given freely and not bundled into any other matter, such as an employment contract. This is going to be a significant change in the way most employers currently obtain the relevant consents. Under the new Regulations, 'contractual necessity' will still be a lawful and relevant ground for the processing of data, but it will need to be expressed differently and moved away from the current practice of relying on consent to process data. Sensitive personal data will still require explicit consent, but if it is not given or it is withdrawn, that may cause some problems for organisations in managing activities such as absence. We understand that some elements of the new General Data Protection Regulations do have to be converted into UK law and the Government has announced its intention to respond to that with a new Data Protection Bill which will bring the EU GDPR legislation into UK law.
Another requirement for employers is that employees must fully understand what data is processed about them and how it is used, with greater transparency required. This means providing much more information than is currently usually the case. This is particularly important where data processors are reliying on 'contractual necessity' or 'legitimate interest'. An understanding of what data is collected and why, along with the length of time it will be held, will be required for all aspects of data processing. For our Premium and Premium Plus clients, we will be working with you closely to ensure you are compliant with the latest requirements. For our Select and Classic clients we will providing information and guidance in a different format to enable you to undertake the necessary actions within your organisation.
The right to be forgotten is also a new element of the GDPR, which will probably be the biggest headline of this new legislation. There has been a lot of commentary around this with regard to things such as articles on Google and other Internet and social networking platforms. This may apply to some employment data where, for example, a significant amount of time has elapsed since the information was processed. An example of this be some form of disciplinary sanction or record that remains on file when it is clearly out of time and is not relevant to the current employment.
There will be more information on this as the specific details become clearer. If you are not currently a client and woudl like some assistance with preparing for the new Regulations, please give the friendly HR team at CHaRM a call.