The Queen gave her speech to Parliament on 21 June 2017 without the usual crown on her head, but wearing a hat in the style of the EU flag. Amongst many Brexit-related bills and a few non-Brexit-related bills over a two year parliamentary session, the Queen announced a new Data Protection Bill to sit alongside the General Data Protection Regulation (“GDPR”) which will come into force on 25 May 2018.
The Bill will both deal with issues outside of the GDPR whilst we remain in the EU and “maintain our ability to share data with other EU member states and internationally after we leave the EU”. It will wholly replace the Data Protection Act 1998 and, amongst other things, formally introduce “a right to be forgotten when individuals no longer want their data to be processed, provided that there are no legitimate grounds for retaining it”.
When the GDPR comes into force, here are some of the changes applicable to employers:
Employers will have to give employees far more detail about the processing of their personal data, including the legal basis for doing so, the nature of the legitimate interests they seek to rely on and any relevant data retention periods
The standard consent for processing clause in contracts of employment will no longer be sufficient, any consent must be given in such a way in which it can be withdrawn and the employee must be notified of their right to withdraw consent
Employers will have to demonstrate their compliance with the GDPR, usually by means of documented impact assessments, audits and policies
The rights of data subjects will be enhanced and employers, who will no longer be able to charge a £10 fee, will have only one month (reduced from 40 days) to respond to data subject access requests
With less than a year left before the GDPR takes effect, all organisations should be well down the line of considering how they may need to changes their practices, procedures and documentation in order to comply with it. This will involve conducting a detailed audit of all data processed, much of which will occur in their capacity as employer.
With potential fines of up to €20 million or 4% of global annual turnover (whichever is higher) in the event of default (not to mention damage to your corporate reputation), we’ll look at what employers should be doing now to prepare for the GDPR in our next bulletin. But in the meantime, you should start considering:
Conducting an audit of all data held, who deals with it, with whom they share it, what is the justification for doing so and how long it will be held
Alternatives to relying on consent, such as where it is necessary for the performance of the employment contract (eg outsourced payroll) or pursuit of legitimate interests (eg photos in an internal phone directory)