GDPR: The Implications for Employment Law

By Joanna Sutton

Principal Associate

T: 020 3892 6811
E: jsutton@nockolds.co.uk

The General Data Protection Regulations, commonly shortened to GDPR, is due to come into force on 25 May 2018 and introduces a new data protection regime.

In the context of employment law, it will mean changes to the way in which employers handle and store employees’ personal data, which includes anything from bank details and dates of birth to information about employees’ health and wellbeing or their next of kin.

Employer Considerations

The most important change from an employer’s point of view is that it is unlikely to continue to be sufficient to rely on an employee’s consent as the reason for processing their personal data. Traditionally this has been included within employment contracts and relied upon by employers in order to process personal data, but now employers will have to rely on other exemptions, such as compliance with a contract or a legal obligation.

Data protection policies must also be updated, and should detail how information will be processed, the reasons for this and how long the data is likely to be retained for. Employers should therefore undertake a data audit so that only up to date information is kept and used. Historical data should be destroyed.

There are also changes to the subject access regime whereby an individual can request copies of any personal information that is held about them. Previously a fee of £10 could be charged and the information had to be provided within 40 days. Under GDPR there is no fee to be paid (unless the request for information is unreasonable or excessive) and the information must be provided within 30 days (again, unless the request is unreasonable).

Perhaps most importantly there is a significant increase in the fines available for non-compliance. Currently a maximum fine of £500,000 can be charged. Under the GDPR it can be up to €20 million or 4% of a company’s worldwide turnover, whichever is higher. There are also criminal offences for failure to abide by the regulations.

What the GDPR Means for the Future

The introduction of the GDPR is intended to ensure more effective data protection, particularly given the significant advances in technology that there have been over the last 20 years since the last regulations were introduced. It will create a universal standard across all EU member states and despite the UK’s decision to leave the EU, it will continue to apply post-Brexit. There are changes that businesses should make now to comply with the regulations and we can provide in-house training for your company to make sure that you are best prepared and protected against the hefty fines that will be in force.