You may be aware that there are going to be changes to data protection legislation coming into force next year. It is known as the General Data Protection Regulation or GDPR. The regulation was introduced by the European Parliament but will be implemented through the Data Protection Act 1998, which is a UK law. There has been some confusion about whether the decision to leave the EU makes it complicated, but as we are at least 18 months away from our departure, this law will affect us regardless. In addition, compliance with the regulations will most likely be a condition for most businesses to continue trading with EU partners. The purpose of the regulation is to expand employee rights, increase sanctions and remove inconsistencies from the current law. It will introduce several new concepts, with particular focus on the processing of data.
The main changes are as follows;
Data Protection by Design and Default
This is a new concept where businesses will be required to look at privacy of data both operationally and strategically. Data Protection by Design requires business to take privacy of data into account when developing a policy, process, product or service. It also requires a system to be in place to ensure that only data necessary for each specific purpose is processed.
Processing by Content
The regulation increases the threshold of consent for the processing and holding of data in an attempt to reduce broad consent being used. The stricter requirements for valid consent state that it must be ‘freely given, informed, specific and explicit’.
Legal Basis for Processing
If you are intending to use legal grounds to justify the processing of data, which you may want to do due to the restrictions surrounding consent, the regulations says that processing may be necessary for compliance with a legal obligation such as Tax and NI, the performance of a contract such as payroll, or the purposes of the legitimate interests of the employer or third party such as performance management or during a dispute.
The regulation requires employers to provide more information to job applicants about how their data is processed.
Data Subject Access Requests
The regulation builds on the right of employees to obtain information regarding their data, as set out in the Data Protection Act 1998. The regulation requires employers to respond to requests within one month unless complex, and requires them to be free of charge unless the request is deemed to be excessive.
This is one of the biggest changes and sees employers required to demonstrate their compliance with data protection rules. To meet these obligations employers will have to keep extensive internal records on how data is processed which will have to be shown to the supervisory authority if requested.
Under the regulation employees will have a right not to be subject to a decision made by automated processing where that decision will significantly affect them. This will include for example performance, health, reliability and behaviour.
Sensitive Personal Data
There has not been a great deal of changes to this, but there is a new requirement for employers to restrict processing of information to what is ‘necessary’ which may restrict what happens in practice.
As we get nearer to implementation in May 2018 we will provide information on who to prepare for these changes.