Our People
Cutting Through Complexity

Out with the Old Data, In with the New GDPR

29th June 2017

By Andrew Knorpel, Partner and Head of Employment

The Queen gave her speech to Parliament on 21 June 2017 without the usual crown on her head, but wearing a hat in the style of the EU flag. Amongst many Brexit-related bills and a few non-Brexit-related bills over a two year parliamentary session, the Queen announced a new Data Protection Bill to sit alongside the General Data Protection Regulation (“GDPR”) which will come into force on 25 May 2018.

The Bill will both deal with issues outside of the GDPR whilst we remain in the EU and “maintain our ability to share data with other EU member states and internationally after we leave the EU”. It will wholly replace the Data Protection Act 1998 and, amongst other things, formally introduce “a right to be forgotten when individuals no longer want their data to be processed, provided that there are no legitimate grounds for retaining it”.

When the GDPR comes into force, here are some of the changes applicable to employers:

  • Employers will have to give employees far more detail about the processing of their personal data, including the legal basis for doing so, the nature of the legitimate interests they seek to rely on and any relevant data retention periods
  • The standard consent for processing clause in contracts of employment will no longer be sufficient, any consent must be given in such a way in which it can be withdrawn and the employee must be notified of their right to withdraw consent
  • Employers will have to demonstrate their compliance with the GDPR, usually by means of documented impact assessments, audits and policies
  • The rights of data subjects will be enhanced and employers, who will no longer be able to charge a £10 fee, will have only one month (reduced from 40 days) to respond to data subject access requests

With less than a year left before the GDPR takes effect, all organisations should be well down the line of considering how they may need to changes their practices, procedures and documentation in order to comply with it. This will involve conducting a detailed audit of all data processed, much of which will occur in their capacity as employer.

With potential fines of up to €20 million or 4% of global annual turnover (whichever is higher) in the event of default (not to mention damage to your corporate reputation), we’ll look at what employers should be doing now to prepare for the GDPR in our next bulletin. But in the meantime, you should start considering:

  • Conducting an audit of all data held, who deals with it, with whom they share it, what is the justification for doing so and how long it will be held
  • Alternatives to relying on consent, such as where it is necessary for the performance of the employment contract (eg outsourced payroll) or pursuit of legitimate interests (eg photos in an internal phone directory)

The contents of this update are intended as guidance for readers. It can be no substitute for specific advice. Consequently we cannot accept responsibility for this information, errors or matters affected by subsequent changes in the law, or the content of any website referred to in this update. © Mundays LLP 2017.

Latest News

Getting in Touch with Your GDPR
Thursday 13th July 2017

Andrew Knorpel takes a more detailed look at some of the changes applicable to employers when the GDPR comes into force

Read More

Out with the Old Data, In with the New GDPR
Thursday 29th June 2017

Andrew Knorpel looks at some of the changes applicable to employers when the GDPR comes into force

Read More

Best Foot Forward! Lawyers Raise Funds for the Surrey Law Centre
Monday 19th June 2017

On 12th June a team of lawyers got out their walking boots and trekked 10K to raise money for The Surrey Law Centre.

Read More