• Facebook
  • Twitter
  • LinkedIn
Call us now: 01243 836 840   [email protected]
Pure Employment Law
  • Who We Are
    • Nicola Brown
    • Peter Stevens
    • Elena Elsam
    • David Jones
    • Linda Nye
    • Brenda Cherry
  • For Employers
    • Advice on HR and People issues
    • Investigations, Hearings and Appeals
    • Restructuring and Redundancy
    • Defending Employment Tribunal Claims
    • Dismissal of Senior Executives
    • Contracts, Handbooks and Policies
    • Employment Law Training
  • For Employees
    • Settlement Agreements
    • Workplace Issues including Disciplinary and Grievance
    • Bringing an Employment Tribunal Claim
  • Employment Law Events
  • Legal Updates
  • Testimonials
  • Vacancies
  • Contact us
  • Search
  • Menu Menu

A word on the EU General Data Protection Regulation

30th May 2017/in News /by Nicola Brown

As the drama of Brexit unfolds, the UK is starting to have to make decisions about which forthcoming EU legislation it will take on board despite being in the process of exiting the EU. One piece of EU legislation that has been confirmed as being part of the UK legal landscape in the future is the General Data Protection Regulation (“GDPR”). This regulation will come into force on 25 May 2018 across EU member states, and the UK will also be implementing it at the same time.

The Information Commissioner’s Office (“ICO”) has issued some useful general guidance on the GDPR which can be found here.

A lot of the GDPR is already enshrined in the Data Protection Act 1998 (“DPA 1998”), so if employers comply with that (and in particular the eight principles of data protection) then they should be in a good position to comply with the GDPR.

However, there are some new requirements in the GDPR which will need consideration. Some key points and practical steps to take are set out below:

Subject access requests

For a general overview of what subject access requests are, please see our previous article here.

The rules around subject access requests will be changing. Once the GDPR is in force, employers will have only one month from the date of receipt of a subject access request to comply (as opposed to the current 40 days). There can be an extension for a further two months if necessary, if the request is complex. Employers will also no longer be able to charge a £10 fee (unless the request is excessive, in which case a proportionate fee can be charged).

Employers will only be able to refuse “manifestly unfounded or excessive requests”, and will need to have policies and procedures in place to set the criteria for refusal. When a refusal is made, employers will then need to be able to demonstrate why the request met that criteria.

This change means that organisations will have less time to consider and deal with a subject access request. Subject access requests are generally quite complex and time-consuming to deal with as many requests can be vague or require extensive searches to be undertaken across the organisation. Under the GDPR, there will be even more pressure put on employers to comply within a short timescale and for most, this will not be a welcome change.

Increased penalties

Significant penalties can be imposed on employers that breach the GDPR, including fines of up to €20 million or 4% of annual worldwide turnover, whichever is higher. This will certainly make some sit up in their chairs and think about data protection!

The level of fine will depend on the type of breach and any mitigating factors, but they are a significant increase as compared to previous fines under the DPA 1998 (in the UK the maximum fine is £500,000).

Consent

Under the DPA 1998, there must be legal grounds for justifying the processing of personal data. For many employers, and often for organisations providing services as well, the most utilised legal ground is obtaining consent. The usual practice is for employment contracts to contain a general clause which specifies that an employee is consenting to their personal data being processed.

Under the GDPR, individuals’ rights will be modified depending on the legal basis for processing their personal data. In addition, the GDPR is much more prescriptive about requirements for obtaining consent, and specifies that it must be made clear that individuals (including employees) can withdraw their consent at any time. The GDPR says that consent must be freely given, specific, informed and unambiguous. Where the legal ground for processing is consent, individuals will have stronger rights in regard to their data (such as the ‘right to be forgotten’).

The general consensus is that initially employers should be thinking about conducting a data audit to set out where and why they process any employee data. This is actually quite hard given the complexity and nuances of dealing with employee data! Employers will then need to see what legal ground they have to be able to process such data. In very general terms, the legal grounds for processing data under the GDPR will be as follows:

  • Consent of the data subject.
  • Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract.
  • Processing is necessary for compliance with a legal obligation.
  • Processing is necessary to protect the vital interests of a data subject or another person.
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  • Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.

It is possible that a solution will be for employers to get employees to sign a more detailed and separate consent form, rather than making it part of the employment contract. The reality is that very few employees are going to object to their employer processing their data. However, employees will need to be informed about their right to be able to revoke consent at any time, which is why a separate consent form may be useful. This will also be evidence of the consent having been given.

The above said, the GDPR says that consent will not be freely given where there is an imbalance in the relationship and this is likely to be the case in an employer-employee relationship.

Therefore, given the increased complexity around obtaining consent, it may be very wise to consider if there are other grounds that can legitimately be used to justify processing employee data and to utilise those wherever you can. The ICO has indicated that the “legitimate interests” ground is likely to be the most relevant for employers. If there are other legitimate grounds, then employers will not need to seek consent.

The ICO has issued draft guidance about consent under the GDPR – this can be found here.

Data breach notification

The GDPR imposes a new mandatory data breach reporting requirement. Where there has been a breach (for example, an accidental loss of data, or hacking of computer systems with data revealed on the internet), an employer must to notify the ICO about this within 72 hours. If that timescale is not met, there will need to be justification as to why the breach was not reported within that timeframe. Where the breach poses a high risk to the rights and freedoms of the individuals, those individuals will also all have to be notified.

There have been some infamous data breaches over the past few years, including the recent NHS data breach. Prevention is better than cure, so employers should be reviewing safeguards and putting policies or systems in place so that data breaches do not occur in the first place.

Employers should also have policies and procedures in place (plus training on these) to ensure data protection breaches are recognised, reported to the right person (who can make decisions on whether to report to the ICO), and are reported quickly.

Privacy notices

Under the current law, employers are required to provide employees and job applicants with a privacy notice which covers things such as information on how you use their information. Under the GDPR, employers will need to provide more detailed information in privacy notices, such as:

  •  how long data will be stored for;
  •  if data will be transferred to other countries;
  •  information on the right to make a subject access request; and
  •  information on the right to have personal data deleted or rectified in certain instances.

Data protection officers

All public authorities, and those private companies involved in regular monitoring or large-scale processing of sensitive data (for example, health data), will need to appoint a data protection officer to carry out activities related to the GDPR and monitor compliance.

It is important to be thinking about the GDPR now given that it will be in place in a year’s time. The first step is to audit what data you process and why you need to process it. This will then help you determine what the next steps to take to ensure compliance are.

Data protection is going to be an increasingly important issue, so it is worth investing effort and some resources into such matters, especially with the threat of increased penalties for non-compliance.

If you would like to talk through a situation you are dealing with, or if you need advice on any aspect of employment law, please contact any member of the Pure Employment Law team (01243 836840 or [email protected]).

Please note that this update is not intended to be exhaustive or be a substitute for legal advice. The application of the law in this area will often depend upon the specific facts and you are advised to seek specific advice on any given scenario.
Share this article
  • Share on Facebook
  • Share on Twitter
  • Share on WhatsApp
  • Share on LinkedIn
  • Share on Reddit
  • Share by Mail
https://www.pureemploymentlaw.co.uk/wp-content/uploads/2019/02/Pure-Employment-Law-logo.jpg 0 0 Nicola Brown https://www.pureemploymentlaw.co.uk/wp-content/uploads/2019/02/Pure-Employment-Law-logo.jpg Nicola Brown2017-05-30 16:16:312017-11-23 15:20:53A word on the EU General Data Protection Regulation

Join our mailing list

* = required field
Mailing Lists


Recent Legal Updates

  • What to expect during 2021 – employment law developments 21st January 2021
  • Did “office banter” about an employee’s memory amount to age discrimination? 21st January 2021
  • Update on Furlough 20th January 2021
  • Restricting Restrictive Covenants? 20th January 2021
  • Q&A: What to expect from a remote Tribunal hearing 20th January 2021
Link to: Contact Us

Any questions? Why not get in touch!

Our advice is always given in plain English without any waffle, and we focus on providing practical solutions to our clients’ problems.

Contact us

LEGAL INFORMATION

Pure Employment Law | 1 Little London, Chichester, West Sussex, PO19 1PH
[email protected] | Tel: 01243 836840

Pure Employment Law is the trading name of Pure Employment Law Limited, registered in England and Wales with company number 07134294 and whose registered office is 1 Little London, Chichester, West Sussex, PO19 1PH. Pure Employment Law Limited is authorised and regulated by the Solicitors Regulation Authority with registration number 533794. A list of the company’s directors is available for inspection at the registered office

DISCLAIMER

The information contained in this website is for general information purposes only. The information is provided by Pure Employment Law and while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.

Privacy Policy | Cookies Policy | Terms & Conditions | How to make a complaint | Sitemap

© Pure Employment Law 2021

Scroll to top

This site uses cookies. By continuing to browse the site, you are agreeing to our use of cookies as defined in our cookie policy.

Accept Cookie Policy

Cookie and Privacy Settings



How we use cookies

We may request cookies to be set on your device. We use cookies to let us know when you visit our websites, how you interact with us, to enrich your user experience, and to customize your relationship with our website.

Click on the different category headings to find out more. You can also change some of your preferences. Note that blocking some types of cookies may impact your experience on our websites and the services we are able to offer.

Essential Website Cookies

These cookies are strictly necessary to provide you with services available through our website and to use some of its features.

Because these cookies are strictly necessary to deliver the website, refuseing them will have impact how our site functions. You always can block or delete cookies by changing your browser settings and force blocking all cookies on this website. But this will always prompt you to accept/refuse cookies when revisiting our site.

We fully respect if you want to refuse cookies but to avoid asking you again and again kindly allow us to store a cookie for that. You are free to opt out any time or opt in for other cookies to get a better experience. If you refuse cookies we will remove all set cookies in our domain.

We provide you with a list of stored cookies on your computer in our domain so you can check what we stored. Due to security reasons we are not able to show or modify cookies from other domains. You can check these in your browser security settings.

Google Analytics Cookies

These cookies collect information that is used either in aggregate form to help us understand how our website is being used or how effective our marketing campaigns are, or to help us customize our website and application for you in order to enhance your experience.

If you do not want that we track your visit to our site you can disable tracking in your browser here:

Other external services

We also use different external services like Google Webfonts, Google Maps, and external Video providers. Since these providers may collect personal data like your IP address we allow you to block them here. Please be aware that this might heavily reduce the functionality and appearance of our site. Changes will take effect once you reload the page.

Google Webfont Settings:

Google Map Settings:

Google reCaptcha Settings:

Vimeo and Youtube video embeds:

Other cookies

The following cookies are also needed - You can choose if you want to allow them:

Privacy Policy

You can read about our cookies and privacy settings in detail on our Privacy Policy Page.

Privacy Policy
Accept settingsHide notification only