Stronachs Logo

This week the Government announced new laws that will overhaul UK data protection law. The changes are necessary in order to bring data protection laws up to date and in line with new EU law. The Data Protection Bill, which will give effect to the European Union’s General Data Protection Regulation (GDPR), represents the most comprehensive transformation of data protection rights in a generation.

 

The Data Protection Act 1998 (1998 Act), which implemented the EU’s Data Protection Directive, contains current UK data protection law. Since the implementation of these laws, there have been significant advances in information technology, as well as fundamental changes to the ways in which information is communicated and shared. The GDPR will also bring more harmonised data protection laws. The approaches adopted by EU member states in the implementation of the Data Protection Directive have been disparate, thus creating compliance difficulties for businesses operating within the EU. The GDPR aims to create a “one-stop shop” for data protection, with a common set of rules applying across the EU.

The new Act will come into force on 25 May 2018. Note this is not affected by the UK’s proposed departure from the EU because the Government aims to ensure that the UK’s data protection laws are aligned with those of the EU ahead of Brexit, with the intention that the UK can continue to efficiently do business with the rest of the EU, at least, insofar, as data protection issues are concerned…

Much of the GDPR will be familiar. It uses a number of the same core concepts as the 1998 Act; e.g. “personal data”, “processing”, “controller”, “processor”. In addition, like the 1998 Act, the GDPR also requires data controllers to comply with a set of principles for processing personal data. However, although there are some familiar concepts, the GDPR is fairly complex and there are important new elements to take into consideration. Some of the most notable changes from an employment law perspective are considered below.

Consent

The GDPR will introduce more stringent requirements for consent as a legal basis for processing employee data. In particular, consent must be freely given, specific, informed and unambiguous. If there is no genuine free choice, it will not be considered to be freely given. The use of standard provisions within employment contracts for consent will no longer be effective, as employment contracts are generally offered on a “take it or leave it” basis (i.e. the employee has no real free choice). Employees may also withdraw consent at any time and must be informed of the right to do so by their employer. It must also be as easy to withdraw consent as it is to give it.

Information on Data Processing

The GDPR will also introduce more stringent requirements in terms of information provided on data processing. Under the current regime, employers must provide ‘fair processing information’; setting out the purposes for which data is processed, as well as any further information needed to ensure processing is fair. The GDPR will require that all information provided must be concise, transparent, easily accessible and given in plain language.

In addition to the abovementioned requirement for employers to inform of the right to withdraw consent, employers must provide significantly more information, including the following;

• The legal basis for processing the data.

• The source of the data (other than where the data subject is the source).

• Who will receive personal data (or the categories of recipients).

• The period for which data will be stored, or if that is not possible the criteria used to determine the period.

• The existence of data subject rights including subject access, rectification and erasure (see below).

• The right to object to processing on certain grounds.

Subject access requests (SARs)

The rules on SARs are broadly similar to the current rules. However, the following key changes should be noted;

• The default period for compliance of 40 days under the 1998 Act will be replaced with an obligation to comply “without undue delay” and within one month. There is a possibility of an extension of a further two months if necessary, taking into account the complexity of the request. Employers who have had the misfortune of dealing with SARs in an employment context will be aware they are usually fairly complex and so it appears likely that the normal period for compliance will be up to three months.

• The current £10 fee for SARs will be abolished. Instead, where a request is “manifestly unfounded or excessive” the employer may either charge a “reasonable” fee, taking into account administrative costs, or may refuse to act on the request altogether.

• Certain further information will need to be provided by employers dealing with SARs, such as the envisaged period of storage and details of the “delete it, freeze it, correct it” rights (see below).

“Delete it, freeze it, correct it”

Employees will benefit from new rights, including;

• The right to erasure (i.e. to be forgotten).

• The right to rectification.

• The right to restriction of processing.

• The right to object to processing.

These rights will generally be triggered if there is non-compliance with the data protection principles. Like SARs, if requests are clearly excessive, employers can refuse to carry out the request or charge a fee.

Personal Data Breaches

Where there is a breach of security leading to the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of personal data, employers are required to notify the regulator. This should be done within 72 hours, otherwise “reasoned justification” must be provided for the delay. This requirement is not applicable where the breach is unlikely to result in a risk to data subjects.

Penalties

Under the 1998 Act the maximum penalty for non-compliance is £500,000. Penalties under the GDPR are a lot tougher, with the maximum penalty for non-compliance sitting at a whopping €20M, or 4% of worldwide turnover (if higher). These higher penalties are likely to make employers take notice and lead to a greater focus on compliance.

Although 25 May 2018 might seem some time away, prudent employers will already be preparing for the new regime. At the very least, employers should be looking to embrace a culture of taking data protection responsibilities seriously, if that is not already the case. Employers may wish to consider appointing personnel to take overall responsibility for GDPR compliance. Such personnel should be tasked with identifying all existing data systems and the personal data processed, together with what will need to change to comply with the revised regime. A timeline for the review and update of data protection policies should be established. Particular steps that will need to be taken include;

• Reviewing the legal basis for processing employee data; where consent is relied upon taking advice on GDPR compliance.

• Reviewing current ‘fair processing information’ and updating accordingly in order to comply with the more stringent requirements of the GDPR.

• Providing training to relevant staff on the new SAR regime, as well as “delete it, freeze it, correct it” rights.

• Adopting a ‘personal data breach’ procedure.

If you have any queries about GDPR issues, please get in touch with a member of the Stronachs Employment Team.

Rowan Alexander, Senior Solicitor

 

Chambers UK 2018

Contact Info

ABERDEEN OFFICE
28 Albyn Place, Aberdeen AB10 1YL
Tel: +44 1224 845845

 

INVERNESS OFFICE
Camas House, Pavilion 3, Fairways
Business Park, Inverness IV2 6AA
Tel: + 44 1463 713225

The Legal 500 logo