There have been huge technological advances, as well as greater public awareness of the importance of personal data, since the introduction of the Data Protection Act in 1998.
The regime has now been overhauled by the implementation of the much heralded EU Data Protection Regulation (GDPR) and the Data Protection Act 2018, which came into force on 25 May 2018. The new provisions strengthen and enhance existing rights, as well as significantly increasing the penalties for getting it wrong.
Key changes under the GDPR include a wider definition of personal data, tighter rules on the thorny issue of “consent” and significant fines of 4% of worldwide turnover or €20 million (whichever is the greater). With potential penalties at such a high level, and reputational damage to consider, this is not something that any organisation can afford to ignore.
Elizabeth Denham (the Information Commissioner) said of the new regime in January 2017 “…arguably the biggest change is around accountability. The new legislation creates an onus on companies to understand the risks that they create for others, and to mitigate those risks. It’s about moving away from seeing the law as a box ticking exercise, and instead to work on a framework that can be used to build a culture of privacy that pervades an entire organisation.”
What issues arise in the employment field?
The Information Commissioners Office (ICO) is gradually updating all its guidance and has made clear that they are looking for companies to take action towards compliance, but are not anticipating that everything will be in place overnight. As such companies should continue to review their policies and processes as new guidance is issued.
In a wider business context companies need to carry out a data mapping exercise to understand what data is being processed in the business and to determine what steps need to be taken to ensure compliance. From the employment perspective, as a minimum, employers should ensure:
- They have in place an employee privacy notice (or fair processing notice) and candidate privacy notice to provide employees and job applicants with the relevant information on how their data will be treated.
- They have reviewed and updated contracts of employment and other worker/ consultant contractual terms.
- Implemented an updated data protection policy or privacy standard to ensure all those in the business understand what data is being processed, and what their obligations and rights are.
- Notified staff of any relevant changes
For further information about the GDPR and what we can do to assist please contact your usual employment contact, or a member of the employment data protection team (Robert Thomas, Kirsti Laird, Becky Lawton, Emily Chalkley, Kelly Evans or Syma Spanjers).