View Privacy notice here: Privacy Notice
What is the General Data Protection Regulation (GDPR)?
The General Data Protection Regulation (2016/679 EU) (GDPR) is the new governing legislation for collecting and processing personal data in the EU.
It comes into effect on 25 May 2018 for all EU member states, including the UK, which will still be a member of the EU at that time. The GDPR will be incorporated into UK law by the European Union (Withdrawal) Bill, so the GDPR standards will continue to apply following Brexit. The Government has also published the Data Protection Bill, which will supplement the GDPR, replacing the Data Protection Act 1998.
The GDPR requires that personal data be processed according to many of the same principles as under the current Data Protection Act 1998. However, employers should note, in particular, that the GDPR has new requirements:
- that restrict the use of consent as a justification for processing data;
- on demonstrating compliance through the documentation of data processing activities;
- on adopting organisational measures for data protection such as policies and practices; and
- on providing more information to employees and job applicants on the purpose and legal grounds for collecting their data, and their rights in relation to their personal data.
Employers should also be aware that the GDPR creates a new enforcement system, with significantly higher maximum penalties than under the Data Protection Act 1998. In particular, breach of the GDPR in some circumstances can lead to a maximum fine of €20 million or 4% of an undertaking’s worldwide annual turnover, whichever is higher.
Will there be changes to the rules on obtaining consent to process personal data under the General Data Protection Regulation?
Yes, the General Data Protection Regulation (2016/679 EU) (GDPR) significantly restricts the use of consent as a justification for processing employee personal data.
Under the GDPR, consent must be freely given, specific, informed and unambiguous. It must be given by a statement or clear affirmative action. If consent is given through a written declaration, the request for consent must be clearly distinguishable from other matters and easy to understand. The individual has the right to withdraw his or her consent at any time.
For employers, the new requirements mean that generic consents (for example, those contained in the body of an employment contract) will not be a valid legal basis to justify processing employee personal data.
Further, in its draft GDPR consent guidance, the Information Commission’s Office (ICO) has stated that consent will not be valid if there is an imbalance in the relationship between the individual and the organisation collecting the data. The ICO has said that this will make it difficult to obtain valid consent in the employment context and that employers should avoid relying on consent as a justification for processing employee personal data.
Employers will need to ensure that they have a valid legal basis for collecting employee personal data (ie processing is necessary to perform the employment contract, to comply with a legal obligation or for the legitimate interests of the employer). They should rely on consent as the legal basis for processing only if the employees have a genuine choice about whether or not to provide it and will suffer no consequences if they choose not to.
The GDPR will come into effect on 25 May 2018 and will apply directly in all EU member states. The Government has confirmed that the GDPR will be implemented in the UK as it will still be a member of the EU at that time.
What effect will Brexit have on the application of the General Data Protection Regulation to the UK?
The GDPR will come into effect on 25 May 2018, when the UK will still be a member of the EU.
The Government intends that the standards of the General Data Protection Regulation (2016/679 EU) (GDPR) will continue to apply in the UK following Brexit. The GDPR will be incorporated into UK law by the European Union (Withdrawal) Bill. The Government has also published the Data Protection Bill, which will supplement the GDPR, replacing the Data Protection Act 1998.
Further, the GDPR will continue to apply directly to:
- organisations established in the EU (for example international organisations with an EU presence); and
- organisations established outside of the EU, but that process personal data of individuals in the EU in relation to offering goods or services, or monitoring the behaviour of individuals in the EU.
