On 25 May 2018 the General Data Protection Regulation (GDPR) will come into effect in the UK. This is aimed at strengthening and harmonising data protection laws across the European Union. It is planned that the UK will retain the GDPR following Brexit and has introduced a Data Protection Bill to replace the Data Protection Act 1998.
Only last week the Government was encouraging businesses to get ready for GDPR. Likewise, employers would be wise to familiarise themselves with GDPR as they will be processing their employee’s personal data and will therefore have to comply.
Most of the key concepts are retained from the Data Protection Act 1998 and the GDPR goes further, giving more rights to employees regarding their personal data. The European Commission has published guidance which includes a ‘snapshot’ guide for SME’s. Businesses may also find the Information Commissioners Office website useful.
What are the key principles that need to be followed under the GDPR?
- Lawfulness, fairness and transparency. Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject (see below, Will consent be enough?).
- Purpose limitation. Personal data must be collected only for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
- Data minimisation. Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
- Accuracy. Personal data must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay.
- Storage limitation. Personal data which is kept in a form which permits identification of data subjects must be kept for no longer than is necessary for the purposes for which the data is processed.
- Integrity and confidentiality. Personal data must be processed in a manner that, through use of technical or organisational measures, ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage
- Accountability. The data controller is responsible for, and must be able to demonstrate, compliance with the other data protection principles.
Will consent be enough?
Under the GDPR it is lawful for a data controller to process personal data under the GDPR if they have consent.
However, the GDPR requires consent to be freely given, specific, informed and unambiguous, and consent is not considered freely given if there is clear imbalance between a data subject and a data controller. Therefore, it appears that consent will not be the best basis for employers to rely on when dealing with most employee personal data.
Therefore, employers will need to consider the other lawful reasons for them to process data under the GDPR. These could be, for example:-
- The processing is necessary to comply with a legal obligation to which the controller is subject
- The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests and fundamental rights and freedoms of the data subject which require protection of personal data, especially were the data subject is a child.
- The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of a data subject prior to entering into a contract (this can be the contract of employment).
Employers need to think about their lawful basis for processing personal data, and also about the information they need to provide to their employees.
For example, employees will have the right to be told:-
- The purpose of the processing and its legal basis
- If a data controller is relying on its legitimate interests as a condition for processing and what those legitimate interests are
- That they have a right to:
- Ask the employer to rectify or erase data
- Restrict or object processing
- Withdraw consent to processing (if relevant) and
- Complain to the Information Commissioners Office (ICO)
Those employers who are already fully compliant with the Data Protection Act 1998 may not find preparing for the GDPR too onerous, but they should be mindful that changes are likely to be needed. As a minimum, privacy notices and policies may need updating.
If you require advice on GDPR and getting ready for 25 May 2018 from an employment law perspective, we can assist. You can contact us on: 01730 268211 or at firstname.lastname@example.org