Data protection law has been relatively stable since the Data Protection Act 1998 (“DPA”) came into force, and you may (or may not!) feel that your business has finally got to grips with data protection.
However, all this is set to change with the introduction of the EU’s General Data Protection Regulation (“GDPR”) in May 2018, and the UK’s Data Protection Bill (“the Bill”), which is set to become the new Data Protection Act in due course.
The Bill will operate alongside the GDPR until the UK leaves the EU, after which the UK will be governed by the new Data Protection Act and any related domestic data protection legislation.
So what do employers really need to know about the GDPR and the Bill?
The GDPR will introduce greater rights for individuals and broader, more prescriptive obligations for employers. The sanctions for getting this wrong are significant.
The GDPR’s definition of personal data is more detailed than under the DPA and makes clear that even information such as an online identifier (e.g. an IP address) can be personal data. As such, more data will be “caught” by the new regime.
For the processing of data to be lawful under the GDPR, there must be a legal basis/condition before data can be processed. Consent is one of those conditions. However, the GDPR states that consent must be “freely given, specific, informed and unambiguous”, and it will be invalid where there is “a clear imbalance between the data subject and the controller”. As an imbalance will usually exist in the employment context, it will be difficult for an employer to rely upon an employee’s consent to process their data.
The GDPR goes even further in relation to “special categories of personal data” (akin to sensitive personal data). This cannot be processed unless one of the exemptions applies, for example:
- The data subject has given “explicit consent”- which may be very difficult to obtain; or
- The processing is “necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment”;
- it complies with “appropriate safeguards for the fundamental rights and interests of the data subject” put in place by the relevant EU member state. This is where the Bill comes in….
Whilst the main purpose of the Bill is to transpose the GDPR into UK law, it also addresses areas within the GDPR which EU member states are allowed to adapt, including confirming the “safeguards” for processing employees’ “special categories of personal data”.
So what are the key areas for employers in the 200+ page Bill?
Employers can only process employees’ “special categories of personal data” if:
- the processing is “necessary…”; and
- the data controller (i.e. the employer) has “an appropriate policy document” in place when the processing takes place.
The policy must explain how it will comply with the data protection principles and its policies for the retention, including how long the employee data is likely to be retained.
The Bill further obliges a data controller to keep the policy document under review and updated, and to make it available to the Information Commissioner on request.
This obligation continues for the “relevant period”, which starts when the processing first begins and ends 6 months after the processing is complete.
The Bill also contains the additional “safeguard” that the data controller must maintain a record of the “special categories of personal data” it has processed, including:
- which condition it relies on to process this;
- how the processing satisfies the “lawfulness of processing” provisions under the GDPR; and
- whether the personal data is retained and erased in accordance with the policy and, if not, the reasons for this.
Fees for subject access requests
- In contrast to the GDPR, the Bill allows data controllers to charge a “reasonable fee” before responding to subject access requests, as is the case now.
New criminal offences
- The Bill creates a new criminal offence of altering personal data to prevent disclosure under a subject access request.
What does this mean for your or your business?
To be ready for GDPR by May 2018, you need to begin compliance now.
From an employment perspective, your key focus should be to update your existing Data Protection policy, if you have one, and to get one if not!
As part of this exercise, you should carefully consider what employee data you process, why and how you process that data, whether this processing is likely to be lawful post-GDPR, how you store the data, and how long the data is to retained………etc.
You should also consider the issue of employee consent (to processing their data), as blanket consents in employment contracts and policies are unlikely to comply. In addition, any consent obtained pre-May 2018 will not be valid from that date unless it is GDPR compliant.
There are, of course, wide-ranging implications for other areas of your business, which are beyond the scope of this note, including ensuring your commercial contracts are compliant, auditing your IT systems and databases and reviewing your marketing activities, and you may wish to obtain separate legal advice on these areas.
What do you need to be doing now?
Whatever the nature of your business, you will process personal data in order to run it, even if it is only receiving someone’s email address.
To avoid falling foul of the GDPR and the impending new Data Protection Act and the associated criminal and financial penalties, you must take your enhanced data protection obligations seriously.
It is in the interest of UK businesses to engage with these new data protection laws in a similar manner to the culture developed around health and safety in the workplace, and this engagement should start now.
We have put together a quick read on what you need to know generally about the upcoming changes to Data Protection which can be read HERE.
This commentary has been prepared for the purpose of an article only. It should not be regarded as a substitute for taking legal advice.