POSTED: June 12 2017
Changes to Data Protection legislation and implications for HR

Changes to Data Protection legislation and implications for HR

The following change to data protection legislation affects all advo clients, irrespective of size.

The General Data Protection Regulation (GDPR) comes into effect on 25 May 2018 and will apply directly to all EU member states, without the need for any domestic legislation.  The UK Government has confirmed that the GDPR will be implemented in this country despite Brexit.

The GDPR will set a higher standard for consent to process personal data.  It will require consent to be “freely given, specific, informed, and clearly indicated by a statement of affirmative action”.  The new definition includes a requirement that consent is “unambiguous”.  If consent is through a written declaration it must be clearly distinguishable from other matters and easy to understand.  This a more dynamic approach to consent and that the standard “consent to process data” clause that features in most employment contracts may not be sufficient after the GDPR comes into force.

Clients are therefore advised to create a separate form to obtain consent to data processing for employment purposes, for example, to fulfil your obligations under an employment contract.

When GDPR comes into effect, there will also be a new compliance period for dealing with subject access data requests.  Currently, you are obliged to respond to such requests within 40 days.  This will be replaced with an obligation to comply “without undue delay” and within one month.  There is an extension of two additional months if the request is complex, which could be the case if information is unstructured and spread across different systems (eg manual, HR and Payroll).  The £10 fee applicable to requests under the Data Protection Act 1998 will be abolished, although you are able to charge a “reasonable fee” if the request is “manifestly unfounded or excessive”.  This fee is meant to cover administrative costs and should discourage very onerous requests.

Under the new rules, employers will be required to report a “personal data breach” to the Information Commissioner within 72 hours.  This includes personal data for example kept on a stolen laptop which is not encrypted, a file left on a train or an email sent to the wrong address.  It is therefore important to remind employees that even apparently minor incidents should be reported internally if data has been lost or compromised.

The current maximum penalty for non-compliance with data protection laws is £500,000 in the UK.  This will increase to 20 million euros or 4% of worldwide turnover if greater. There may be increased scope to legitimately use your employee’s data protection obligations as leverage in employment disputes.  For example, a departing employee who takes lists of client and contact details of them will run the risk of being reported to the Information Commissioner. You also will be justified in taking a harder line in disciplinary action against employees who misuse confidential information about third parties or remove it from your secure systems.

If you have any questions on how this can affect your organisation please contact advo hr at our Maidstone head office.