• Background

    The General Data Protection Regulation (GDPR) deals with rights, obligations and potential penalties in relation to data protection. The aim is to gain a common set of data protection rules across the EU but member states will still be able to legislate directly in some areas, one being in relation to employment.

    Whilst the Regulations have been approved by the European Union we must now await publication and there will now be a period before it becomes binding but it is expected that the Regulations will need to be implemented by all businesses by the summer of 2018. The European Commission believes it will save business EUR2.3 billion a year but some commentators have challenged this figure suggesting that compliance will increase burden on businesses rather than save them money.

    There will be a tougher penalty regime with the maximum penalty for non-compliance EUR20 Million or if it would be higher, 4% of an undertaking’s worldwide turnover. The current maximum penalty in the UK is £500,000. This change is likely to mean that businesses will need to place more focus on compliance.
    Employment data

    The general approach will be similar to that currently required under the Data Protection Act 1998 but there will be greater focus on data protection and compliance with requirement for more granularity, legal processing and extended rights for data subjects. Which in turn is likely to require more extensive information being provided by businesses to employees and the need for clear policies and procedures. It appears unlikely that it will be acceptable for consent to processing to be given in an employment contract, a stance that many employers currently adopt.

    The Regulations set out stricter and more detailed conditions for use of consent which must be freely given, specific, informed and unambiguous, shown by either a statement or a clear affirmative action which signifies agreement to processing. Consent must also be ‘explicit’ for sensitive date. As the data controller, you will need to be able to demonstrate that consent was given.
    Next steps

    Whilst 2018 may seem a long way off, it would be advisable to start reviewing your processes and procedures now as many of the obligations are likely to take time to integrate into your current practices and procedures.
    Things you could be doing to prepare are:

    1. Put in places clear policies and procedures;
    2. Establish a framework for accountability;
    3. Embrace privacy by design;
    4. Analyse the legal basis on which you use personal data;
    5. Check your privacy notice and policies;
    6. Be prepared to deal with data subject requests;
    7. If you are a supplier consider whether you have any new obligations as a processor;
    8. For cross-border transfers ensure you have a legitimate basis for transferring

    There could, of course, be one further issue – the UK could leave the European Union after the referendum, this then raises the question of how UK businesses will be affected by these changes, if at all!

    This content is correct at time of publication

    Can we help?

    Take a look at our Data Protection and GDPR, Employment & HR page for useful information, resources, guidance, details of our team and how we may be able to help you

  • Key contact:

    Get in touch

    Please fill out the below form or alternatively you can call us on 01622 690691

      By submitting an enquiry through 'get in touch' your data will only be used to contact you regarding your enquiry. Please view our privacy statement for more information