Legal Advice for Employees
Greater control of your personal data from the GDPRJuly 25, 2017
From next year, individuals will be able to better control their personal data, as the General Data Protection Regulation (GDPR) comes into force on 25 May 2018. Its aim is to address the significant advances in information technology, the ways individuals and businesses communicate and share information.
What does it mean for you?
Many of our existing core concepts about data protection will remain. But the GDPR strengthens your rights, and introduces new obligations on employers regarding how they gather and handle information about you. The fines that can be handed down for a business’s non-compliance are increasing, and in some cases, they will have to notify you if they’ve breached their obligations.
Some of the key changes are:
This is about how an employer gets your consent to hold and process personal information about you. The main change here is that it will be harder for them to get your consent. Currently, most employers simply put a general data protection clause in in their employment contracts which you then sign.
From next year a new higher standard of consent is required: they must show you have given informed and unambiguous consent, and that you have done so freely, i.e. not under duress. Simply getting you to sign a contract with a basic data protection consent clause is no longer going to be enough. They have to show that the consent you have given is valid, so arguably they should be explaining how your information is going to be gathered and stored, and what your data protection rights are.
You will also gain the right to withdraw your consent at any time. It must be as easy for you to withdraw consent as to give it.
• The right to be forgotten
This is a major step forward in helping individuals regain some control over the information that is held about them.
From next year, you will (in certain circumstances) have the right to ask for personal data about you to be deleted. It could be the data is no longer relevant for the purpose for which it was collected, e.g. references they’ve been holding on file for several years, or you withdraw your consent. Your employer should be putting in place an adequate system for handling such requests.
• Data subject access requests
Data Protection Subject Access requests can be a useful tool for obtaining information and documents your employer may hold about you. At the moment your employer has 40 days to comply with your request from when they receive payment of a maximum £10 fee (if they charge one).
The GDPR will usher in several significant changes that are to your benefit:
- Firstly, they must provide the data free of charge, unless the request is ‘manifestly unfounded or excessive’. But they will have to demonstrate that your request is manifestly unfounded or excessive. Given the whole point of the GDPR is to give people greater access to information this could be high threshold to overcome.
- The time limit for compliance will change from 40 days to ‘without undue delay and in any event within one month’. Given that many employers struggle to meet the 40-day deadline, this is likely to cause problems.
- If you submit your request electronically, you can insist the information is made available in electronic form (if you want to!).
• Strict data breach notification rules
Employers will have to report any breaches of the data protection rules to the ‘National Data Protection Authority’ (likely to be The Information Commissioner’s Office) without undue delay and where feasible within 72 hours.
In some circumstances they will also have to notify you if the breach relates to data about you. This is likely to cause a lot of problems for employers, not least because you could raise a formal grievance which they will then have to investigate and deal with in a reasonable manner. In some cases, the level of breach or the way they handle a complaint, may entitle you to resign and pursue a constructive unfair dismissal claim.
What should you do if you think there’s been a data protection breach?
Firstly, you should not be afraid to raise any concerns; the law is there to protect you.
You need to act promptly, so don’t delay. But, before you do anything, take advice. Your rights, potential claims and options, and the way you raise any concerns with your employer should be fully explored before you inadvertently do something that may harm your position.