One of the key principles for processing data is that the procedure must be fair and lawful. This is because the current rules are often interpreted too widely by data controllers.
One basis for fair and lawful processing will be expressly gaining the individual’s consent. This means that consent that previously was implied by the actions or inactions of the data subject will no longer be acceptable under the GDPR.
Consent must be freely-given, specific, informed and unambiguous.
Enhanced rights of Data Subjects
The rights of individuals in relation to their personal data have been enhanced under the GDPR. This impacts on the information which should be included in privacy policies and procedures and the way in which data subject access requests from individuals should be handled.
In summary, under the GDPR, employees shall have the following rights:
the right to be informed, which encompasses the obligation on employers to provide transparency as to how personal data will be used. Employees should be told who is processing their data, why, and for what purpose, and should be given a choice as to whether they agree to the processing. Employers, therefore, need to be open with employees about the data they collect and the purposes of processing;
the right of access; this is broadly similar to those rights presently enjoyed under the DPA, albeit with a few key distinctions:
the current compliance period of 40 days will be replaced with an obligation to comply “without undue delay” and within one month. An extension of two additional months is available when the request(s) are sufficiently complex;
The £10 fee applicable to requests will be abolished. However, where a request is “manifestly unfounded or excessive” employers will be entitled to charge a “reasonable fee” to take into account administrative costs. In some limited circumstances employers may even refuse to act on the request altogether;
the right to rectification of data that is inaccurate or incomplete;
the right to be forgotten under certain circumstances; and
the new right to data portability will allow employees to obtain and reuse their personal data for their own purposes across different services under certain circumstances.
New obligations for Data Processors
At present, data controllers are responsible for the actions of their data processors. Under the GDPR both data controllers and data processors can be responsible for data protection compliance.
This means not only the owners of personal data will be responsible for meeting the requirements of the GDPR, but those holding or using that data (such as external marketing or IT suppliers) will also have new responsibilities.
Privacy by design and Privacy Impact Assessments (PIA’s)
The GDPR promotes privacy by design, which means that employers will be obliged to adopt an approach that upholds privacy and data protection compliance from the outset of any project or process.
Businesses will need to consider carrying out Privacy Impact Assessments at the beginning of any new process so that privacy is “baked” into the process from the beginning.
If you have any questions or queries about this or any employment issue, please get in touch with a member of our Employment Law team.