The General Data Protection Regulation (GDPR) comes into force on 25th May 2018. It is from the EU, but will come into force before Brexit takes effect and so it will apply to us. The need for change comes from the way in which data is now published and shared for example online and on social media where data easily crosses national boundaries. UK businesses and organisations will still be subject to GDPR or an equivalent version of it post-Brexit if they monitor the behaviour of, or offer goods and services to, citizens in the EU from the UK.
The Information Commissioner’s Office (ICO) has issued draft guidance in connection with the GDPR, but we await the final form of this.
The good news is that the GDPR retains the core rules and principles that we have in the Data Protection Act 1998 (DPA) and so a lot of it will be familiar to us. You may remember that the eight principles for processing personal data under the DPA are that personal data must be:
Accountability and financial penalties – businesses will need to demonstrate that they have complied with the GDPR by keeping accurate records and may face significant fines for data breaches (up to 20million euros or 4% of annual worldwide turnover, whichever is greater). Individuals will also be able to claim financial compensation for data breaches where they result in financial loss or distress.
Consent – it has always been important to obtain consent from individuals before processing their personal data, but under the GDPR consent will be harder to get. Consent may be withdrawn at any time. More on this below…
Data Protection Officers – many businesses will be required to formally appoint a Data Protection Officer, that person having their own duties to perform.
Rights for individuals:
Please note that you do not always need consent in order to process personal data. Obtaining consent is one lawful basis for processing but there are five others. You only need consent when one of the other five lawful bases do not apply.
The lawful bases for processing personal data are:
You need to consider whether the personal data that you are collecting, holding and processing in connection with your employees is necessary for meeting your obligations under your contract of employment with them.
It will be necessary for you to collect their full name and address, date of birth and national insurance number. It is likely to be necessary for you to collect information about their health e.g. through self-certification forms and fit notes, accident books.
It may be necessary to collect their personal email address as a means of communication, bank details as a means to arrange payment to them, etc.
It is unlikely to be necessary to monitor their use of email or internet, install a tracker in their company vehicle or capture images of them on CCTV. This form of monitoring has been looked at within the Employment Tribunals and in the context of a right to privacy. It is necessary to inform the individual what monitoring will be carried out, how and why. You must have genuine and legitimate reason for carrying out the monitoring and this must not be outweighed by the potential detriment to the individual.
It is unlikely to be necessary or appropriate for you to collect information about their sexual orientation, political beliefs, religion, etc. If you do collect such information for the purposes of equal opportunities monitoring you must make sure that you use an anonymous system so that the data collected is not attributable to a particular individual.
It will not be necessary for you to collect, hold or process personal data other than to meet your obligations under the contract of employment. For example, it will not be necessary for you to collect their personal email address for the purposes of marketing goods and services to them.
Although you don’t need consent, you should still inform your employees of what personal data you are collecting, holding and processing, why you are doing it and who you are sharing that personal data with. It is likely to remain good practice to include a statement about this within a contract of employment so that you can demonstrate that the information was given to the employee and that they signed to confirm receipt (if not consent).
There will be specific occasions on which you need to obtain consent because the collecting, holding and processing of personal data is not strictly necessary for meeting your obligations under the contract of employment. For example, if you want to write to an employee’s GP about their health or if you want to carry out monitoring of employee’s internet and email usage and cannot show that there is a genuine and legitimate reason for carrying out the monitoring and this must not be outweighed by the potential detriment to the individual.
The GDPR requires a higher standard of consent than we are used to. Previously an individual had to give their free agreement to personal data being processed. Now, that consent must also be unambiguous and given by way of a statement or clear affirmative action. This means that it will not be acceptable to automatically assume consent and ask people to opt out – as you may have been in terms and conditions or when using online services e.g. where you tick to opt out of receiving marketing. Instead, you will have to ask people to proactively “opt in” to give their consent.
When asking for consent, you will need to make clear what the consent is for (e.g. what personal data you will be collecting and processing, and why) and also who you will share the personal data with, being very specific as to the identities of such potential recipients. You will need to record the consent. An umbrella consent form that requires consent to a broad range of data collection and processing may not be acceptable and you should consider whether you can break the consent down into various components.
You must also inform the individual how they can withdraw their consent and that they can do this at any time. Remember that the individual can withdraw their consent to personal data being processed going forwards, but also ask to be forgotten.
Generally, any consent being requested is to be obtained separately from any sign up to other terms and conditions so that provision of a service is not seen as being dependent upon the person agreeing to share their data in the ways that you wish.
Employees will have a right to request that personal data is erased. This will apply only where:
The GDPR comes into force in May 2018, but there is a lot to do between now and then. You may need to: