Data Protection in the UK: out with the old, in with the new.

Data Protection in the UK: out with the old, in with the new. 

Big changes are afoot on the law relating to data regulation in the EU.  Is your business ready to ensure compliance and avoid the hefty penalties?

Employers across the EU are being urged to take steps now to prepare for the 25^th May 2018 when the new General Data Protection Regulation (GDPR) will be coming into force, replacing the current Data Protection Directive.  Although Brexit is looming, the government has confirmed that the new legislation will apply in the UK as it will still be a member of the EU at the time of implementation.

Right now, the current Data Protection Directive is incorporated in the UK by the Data Protection Act 1998 and many of the principles will remain the same.  However, there are a number of new and complex obligations on employers that should be understood and implemented in businesses now in order to ensure compliance in time for May 2018:

1              Restricting the use of consent as a justification for processing data

Consent is no longer enough justification for processing data and, in particular, employee data.  The GDPR states that consent must be ‘freely given, specific, informed and unambiguous’.  It must also be given by consent or affirmative action.  If consent is given through a written declaration, the request for consent must be clearly distinguishable from other matters and easy to understand. 

What this requirements means for employers is that, particularly in relation to contracts of employment, generic consents will no longer be a valid justification for processing employee’s legal data. 

Employers should start reviewing their existing documents to see whether consent is given in line with the new requirements, or whether they can show that they have a legitimate interest in processing the data that is not overridden by the interests of the data subject.

2              Demonstrating compliance through the documentation of data processing activities

With the GDPR’s new focus on accountability, businesses will have to ‘demonstrate’ compliance with the principles of personal data.  Employers should consider adopting a GDPR compliance programme to implement and monitor their data processing activities.

3              Adopting organisational measures for data protection such as policies and practices

Employers should adopt easily accessible and clear policies and procedures in relation to data protection.  This will ensure compliance with the GDPR requirement that information provided must be in clear and plain language.

4              Providing more information to employees and job applicants on the purpose and legal grounds for collecting their data, and their rights in relation to their personal data

Transparency is key.  Employers should provide employees and job applications with full information in respect of their personal data.  They should also be well versed in relation to their rights.  If employers have clear policies and procedures in place to tackle the same, then there will not be an issue.

It is especially important for employers to prepare for the new requirements as the GDPR has created a new enforcement system, with significantly higher maximum penalties than at present.  In some circumstances, a breach can result in a maximum fine of €20 million or 4% of an undertaking’s worldwide annual turnover, whichever is higher. 

 

 

 

Hannah Jones