The EU General Data Protection Regulation (the "Data Regulation") was adopted by the European Parliament in April 2016 and will be implemented in the UK in May 2018.
The aim of the Data Regulation is to harmonise the law and regulatory approaches to data protection, across the EU and strengthen the rights that individuals have over their data. In the UK, the Data Regulation will replace the Data Protection Act.
The Information Commissioner's Office (ICO) will continue to be the UK's regulatory authority in relation to data protection but will have to ensure that it acts consistently with other regulators across the EU. How the UK's application of the Data Regulation and monitoring of consistency will work in practice after Brexit has yet to be decided.
The main definitions and the basic structure of the Data Regulation are not too dissimilar from those set out in the Data Protection Act but there are also some key differences including:
- The Data Regulation includes a concept of 'transparency', which in an employment context will require greater openness and explanation. For example, when responding to a Data Subject Access Request, employers will need to explain how they have approached it.
- Consent: a data controller must demonstrate that the data subject has 'freely given, specific, informed and unambiguous' consent to the processing personal data. This means that consents cannot be relied on unless the employee can genuinely say 'no' to an employer's request without consequence.
- Employers must also provide information on the legal basis for process for processing the information, which will involve careful analysis.
- All employers will need to have a data protection policy, and data protection officers will need to be appointed to monitor compliance.
- Data subject access request rights will be similar but employers will have one month to respond (rather than 40 calendar days) and must provide extra information, such as data retention periods and must highlight the right of the employee to have inaccurate data corrected/ forgotten.
- If human resource data is lost or hacked into and there is risk to individuals then the employer has 72 hours to notify the ICO.
- Tougher fines: breaching the Data Regulation, including the provisions on data subject access requests, can result in fines of up to €20 million or 4% of annual global turnover. This means that a breach of data protection carries real risks for employers.
The ICO's 12 step guide contains further information or contact us for further guidance.