Businesses have been gearing themselves up to comply with the Data Protection Act 2018 and General Data Protection Regulation (GDPR) in relation to the retention and use of personal data of individuals they interact with for some time now, but do they realise there are huge employment law implications to this new directive?
Jas Dubb, employment law specialist at Wilkes sheds some light on the new rules.
“The penalties for non-compliance have now significantly increased and can carry criminal sanctions in extreme cases”, he warns.
Personal data comes in many forms. It is likely that employers will hold a lot of personal data about their employees, and former employees. This could include next of kin details, benefits details and bank details. If the employer operates CCTV or monitors emails, internet use or records telephone calls, then this will constitute personal data for the purposes of GDPR.
Under GDPR employers need to ensure that where data is held it is properly protected. There is a greater emphasis upon security and the control of data within the employer’s possession. Employers should also consider how long they legitimately require to hold employee data and regularly check the accuracy of the data held.
Employees have previously had the right to seek copies of the personal data held via a Subject Access Request. But under GDPR employees also have rights, under certain circumstances. to erase personal data, to restrict data processing and to object to processing of their personal data, amongst others.
As part of the road to compliance, employers need to have a privacy notice. The notice needs to cover such things as what data it expects to gather, whether or not they ever share this data and if so with whom, amongst other matters. This notice must be provided to all those who’s data is held. As such this, in an employment law context, would include prospective candidates who may apply for a job, workers the business may engage from time to time as well as direct employees.
The Information Commissioner’s Office (ICO) is the body which oversees this new legislation. Disgruntled employees can raise their concerns and complaints directly with the ICO.
The original employer data protection obligations come from the 1998 Data Protection Act following EU regulations. These were related to obtaining, processing and securing personal data. This has now been replaced by the GDPR and Data Protection Act 2018 which came into force on 25 May 2018.
For advice on any employment related matter please contact Jas Dubb on 0121 710 5929 or firstname.lastname@example.org. You can also reach any member of the Employment Team on 0121 233 4333.