Are you at risk of an £18 million data protection fine? – Employee Consent and the GDPR
The EU General Data Protection Regulation (GDPR) comes into force on 25th May 2018....
Back to News and EventsThe EU General Data Protection Regulation (GDPR) comes into force on 25th May 2018....
Back to News and EventsNews : Employment Law
The EU General Data Protection Regulation (GDPR) comes into force on 25th May 2018. The GDPR will be applicable in the UK (regardless of Brexit) with derivative legislation replacing the Data Protection Act 1998.
The GDPR extends the scope of current data protection legislation. It also introduces changes to the way in which employers obtain consent to process employee data.
Businesses may process* a significant volume of employee personal data** when carrying out business functions. For example, employee personal data will be ‘processed’ for the purposes of payroll administration, performance reviews, and training and development to name but a few.
Processing means carrying out any of the following: collecting, recording, organising, storing, using, disclosing, disseminating.
Article 4(1) of the GDPR defines personal data as information relating to an identified or identifiable person. The definition of personal data includes (but is not limited to) name, address, email address, telephone numbers, bank account details i.e. it covers much of the data that employers hold about their employees. There is further category of protected data: sensitive personal data. Sensitive personal data is subject to additional rules in connection with data processing. It includes (but is not limited to) information about racial or ethnic origin, political opinions and religious beliefs.
Under the GDPR, organisations must have a legal justification for the processing of personal data (including data relating to their employees). Such justification may be based upon employee consent.
In order to rely upon employee consent as a justification for processing of personal data, employers must demonstrate that the consent was:
Under the new legislation, the Information Commissioner’s Office will have increased powers to enforce data protection breaches. This includes the ability to issue significant financial penalties. A data protection breach could be a costly mistake for your business and therefore it is essential to take timely advice on compliance.
Poole Alcock is running a series of seminars and bespoke training on compliance with the GDPR and related legislation: if you would like further information about either of these please contact Eve Lakin on 01270 619689 or at eve.lakin@poolealcock.co.uk.
Poole Alcock LLP is a Limited Liability Partnership and is authorised and regulated by the Solicitors Regulation Authority. Registered in England and Wales at: 2nd Floor, 34-36 High Street, Nantwich, Cheshire, CW5 5AS. Telephone: 01270 625478. LLP registration number 0C310420 Poole Alcock LLP has offices in Alsager (SRA No: 408249), Congleton (SRA No: 408248), Crewe - Nantwich Road (SRA No. 639144.), Nantwich - The Dowery (SRA No: 408250), Nantwich - High Street (SRA No: 408247), Sandbach (SRA No: 408252) and Wilmslow (SRA No: 654460). The firm's VAT number is 278 8524 07. A list of members is available for inspection at any of our offices. We use the word "partner" to refer to a member of the LLP. All solicitors are subject to rules and principles of professional conduct. The SRA Standards and Regulation including our code of conduct can be found at SRA | SRA Standards and Regulations | Solicitors Regulation Authority
Terms & Conditions Privacy Policy Privacy Policy for Employees Cookies Policy Complaints Policy