By Toni McAlindin, barrister and CIPD tutor
Out of nowhere, employers have suddenly become interested in data protection. Having lectured for over 20 years on the subject, it all seems rather bizarre.
Of course, it is not because employers have suddenly seen the light, but more likely because new legislation is looming and there is a great deal of confusion as to what is required.
We have had data protection legislation since the early ’80s so these obligations are not new, but now the fines for non-compliance could be absolutely enormous (maximum of 20 million euros or 4% of total annual turnover, whichever is the higher) and that seems to have concentrated the mind for many organisations.
What’s new, then? Firstly, a new regulation known as the General Data Protection Regulation (GDPR) which originates from the EU. Yes, we are leaving the EU, but if we want any chance of doing future business within the EU then we need to comply fully with this legislation. It will be implemented in May 2018 along with the EU Enforcement Directive. The UK Data Protection Bill is currently going through Parliament. It will implement both of the above but also some areas not covered by EU law – for example, immigration and national security.
It should be stressed that the bulk of the new material is similar, if not identical, to the present data protection rules but the new Regulation aims to strengthen and unify data protection.
So, what’s different? Fines are certainly much higher but there has been too much emphasis on this area as the Information Commissioner Elizabeth Denham points out in one of her recent blogs.
The core of the legislation concerns ‘personal data’. The new definition is more detailed, reflecting changes in technology, for example, personal data could be an IP address or even data that has been pseudonymised (key coded). Clearly considerable personal data is held in organisations, not only on employees and workers but also clients, customers, suppliers and so on.
Employers will need to be much clearer about records of personal data and processing activities and much, much clearer on their lawful basis for processing such data. The legislation lays down a number of legitimate reasons for processing. If one does not exist, it will be necessary to get consent. It is not always necessary to get consent (as now) but consent must be unambiguous, specific, informed and freely given, in other words, without duress. And there must be ways to withdraw consent. It cannot be an integral part of the employment contract. It must be “by a statement or by a clear affirmative action”. Pre-ticked boxes will be invalid. There must be an active opt-in from those giving their consent.
The ICO has already published draft guidance on consent. It is unlikely to change much prior to the final version in December. It has also published a helpful 12-point checklist and more guidance will be published on an ongoing basis.
For more information on the GDPR, the CIPD course Understanding Data Protection provides an overview on existing legislation, new proposals and ongoing guidance.