10 things Employers need to know about GDPR

Great British Business Show blog image 1

The General Data Protection Regulation comes into force on 25th May 2018. Every business with Employees, however small, will be affected – and the penalties for non-compliance with the GDPR are significant.  Our team of UK Employment Lawyers has put together a list of 10 things employers need to know about GDPR, along with some action points to help you comply. 

 1. There’s no hiding from GDPR

There is no exemption for small businesses or businesses that only employ a small number of staff. Employers of all sizes are affected by GDPR. Size will matter when it comes to establishing the extent to which GDPR will apply. If you aren’t processing large amounts of data, and you aren’t involved in high risk processing, you won’t be expected to devote as many resources to data protection as an organisation that is.

Action for employers: check your organisation against the requirements of the GDPR. Our team of Employment Solicitors in London can advise you on this.

 2. There are changes to handling Subject Access Requests

An employer will only be able to charge an employee a reasonable administration fee if faced with a “manifestly unfounded or excessive” request for information. Otherwise, no fee can be charged. The 40 day time limit to comply with a request has been replaced with an obligation to complete the subject access request “without undue delay”, and within a month at the latest. There is scope to extend the timescale by 2 more months, but the employer needs to inform the employee of this within the initial month.

Action for employers: review policies relating to subject access requests; make sure staff handling subject access requests receive appropriate training.

 3. Consent must now be ‘freely given’

Whether an employee has given consent to his or her employer to process personal information is already problematic under the existing data protection regime because of the imbalance of power between an employer and employee. The concept of ‘freely given consent’ under GDPR may be even harder to satisfy. It’s likely that an employer won’t be able to rely on a blanket consent to data processing contained in an Employment contract

Action for employers: Review consents received prior to 25th May 2018 to process personal data and consider if they are still compliant under the new regime; you may need to obtain fresh consents from all Employees. Understand those situations where you will and won’t need consent to process personal information about your Employees. As recommended Employment Solicitors, we can assist you with this. 

 4. Employees have the right to withdraw consent

GDPR gives Employees the right to withdraw their consent to the processing of personal information as easily as they can give their consent.

Action for employers: Check your process for allowing an employee to withdraw consent – update it if necessary and consider how you will publicise this within your organisation.

 5. You may need to improve the information you provide about processing

GDPR consolidates and expands the existing obligation to provide clear information to Employees and prospective Employees about the information that is to be collected and processed. Employers will not be able to hide between complex phrases such as ‘legitimate interest’ and will need to provide significantly more information about data collection and processing.

Action for employers: Consider whether you are providing Employees and prospective Employees with enough information, and at an early enough stage in the recruitment process. 

 6. Employees have a right to be forgotten

Employers must be able to erase personal information when it is no longer necessary, or when the employee withdraws consent and the employer has no other reason to process his/her personal information.

Action for employers: As with the process for allowing an employee to withdraw consent, check that you can comply with an employee’s right to be forgotten.

 7. You may not be able to carry out criminal records checks

Under GDPR it won’t be possible to carry out criminal records checks as a matter of course. This is an area where individual states can make their own rules, potentially extending the circumstances in which DBS checks may be made. The new Data Protection Bill had its 3rd reading in the House of Commons on 9th May 2018 and will need careful scrutiny once it has been made law to establish what an employer can and cannot do.

Action for employers: Review the use of DBS checks until the new domestic data protection regime is introduced; review again according to the new Data Protection Act once it is enacted.

 8. Data transfer outside the EEA will be controlled

If you move employee data to a ‘third country’ –outside the EEA, there must be adequate safeguards in place to make sure it will be protected. With Brexit looming, this takes on an added dimension – the UK will become a ‘third country’. Although the new data protection bill brings the GDR into UK law, there are several complexities that remain to be ironed out before we know how this will work in a post-Brexit world.

Action for employers: At this stage, carry out an audit of where personal data is stored and processed, and whether transfers of data out of the EEA take place. 

 9. You may need a data protection officer

If you are a public body, or your core activities involve regular monitoring of individuals and large-scale data processing or you carry out large-scale processing of sensitive personal data or data relating to criminal convictions, you will need to appoint a data protection officer. 

Action for employers: Consider whether the way you process employee information brings you into the scope of this requirement.

 10. Non-compliance will be costly

Any employer considering ignoring GDPR should think again – breaches of GDPR can attract fines of 20 Million Euros or 4% of your organisation’s global turnover – whatever is the higher.

Action for employers: Don’t delay – non-compliance with GDPR can have huge implications for your employer. Call us today 0207 936 9960 to book a consultation with one of our top Employment Solicitors and make sure you are complying with GDPR as far as your Employees are concerned.

 

OTS Solicitors are committed to ensuring you receive advice from some of the best Employment Lawyers in London. We are regarded as one of the best Employmentimmigration and commercial law firms in London. If you need legal advice on employment law matters, please phone our office on 0207 936 9960 to talk to one of our dedicated employment law solicitors.