Data protection

Felicity AlexanderEditor's message: The Data Protection Act 1998, which implements the Data Protection Directive, regulates the handling of personal data. Employers must comply with the Data Protection Act 1998 in relation to the collection, use and storage of personal information, which includes information about job applicants (such as application forms and CVs) and employees that is held on a computer.

There are data protection issues around employees using their own devices for work purposes, both in relation to the storage of personal data of other employees in the organisation and the extent to which employers can monitor employees’ use of these devices.

The EU General Data Protection Regulation (GDPR), which replaces the Data Protection Directive, is due to come into force on 25 May 2018, before the UK is expected to leave the EU. The aim of the GDPR is to establish a modern and harmonised data protection framework across the EU. One notable aspect of the GDPR is the level of fines that may be imposed for a breach. The maximum fine on an organisation is the higher of €20 million or 4% of its worldwide annual turnover. The Government has introduced a Data Protection Bill to establish a new data protection regime and implement the GDPR. The Bill provides for the Data Protection Act 1998 to be repealed.

Felicity Alexander, employment law editor

New and updated