Editor's message: The Data Protection Act 1998, which implements the Data Protection Directive, regulates the handling of personal data. Employers must comply with the Data Protection Act 1998 in relation to the collection, use and storage of personal information, which includes information about job applicants (such as application forms and CVs) and employees that is held on a computer.
There are data protection issues around employees using their own devices for work purposes, both in relation to the storage of personal data of other employees in the organisation and the extent to which employers can monitor employees’ use of these devices.
The EU General Data Protection Regulation (GDPR), which replaces the Data Protection Directive, is due to come into force on 25 May 2018, before the UK is expected to leave the EU. The aim of the GDPR is to establish a modern and harmonised data protection framework across the EU. One notable aspect of the GDPR is the level of fines that may be imposed for a breach. The maximum fine on an organisation is the higher of €20 million or 4% of its worldwide annual turnover. In the Queen's Speech on 21 June 2017, the Government announced that it will introduce a Data Protection Bill to establish a new data protection regime and implement the GDPR. The Bill will provide for the Data Protection Act 1998 to be repealed.
Felicity Alexander, employment law editor
Updated to include information on the requirements for processing sensitive personal data and data relating to criminal records under the Data Protection Bill.
The Government has published the Data Protection Bill,which will supplement the General Data Protection Regulation (GDPR) in the UK.
Updated to include information on the Data Protection Bill, which will incorporate GDPR requirements into UK law with some changes, and the ICO’s consultation on guidance for data processor contracts under the GDPR.
The Information Commissioner's Office consults on draft guidance that explains how organisations can comply with the enhanced rules in relation to contracts with data processors under the General Data Protection Regulation.
The EU General Data Protection Regulation (GDPR), which replaces the 1995 Data Protection Directive, is due to come into force in the UK on 25 May 2018. The Government has published the Data Protection Bill, which provides for protection of personal data in place of the Data Protection Act 1998, and implements the GDPR. We round up our resources on preparing for the new data protection regime.
How should employers deal with data subject access requests and how will the process change for employers when the General Data Protection Regulation (GDPR) comes into force in May 2018? Clare Gilroy-Scott, a partner at Goodman Derrick LLP, answers some common questions about data subject access requests.
HR and legal information and guidance relating to data protection.