New law on using personal data

New legislation will greatly increase the compliance burden on employers when they manage employee personal information.

Failure to comply can result in a maximum fine of 4% of their organisation’s global turnover.

Employers will now have to use clear language and explicitly seek the permission of employees and others about keeping and processing sensitive personal data under the new General Data Protection Regulation (GDPR).

The European Union’s regulation comes into effect in the UK on 25 May and greatly increases the rights employees have over their personal data held by employers. The UK government is updating the current Data Protection Act 1998 and a new act will incorporate the GDPR.

Sensitive data

The new regulations will also cover personal information about individuals collected for consumer and commercial purposes as well as covering current and former employers and contractors.

The law identified ‘personal data’ and ‘sensitive personal data’. Sensitive data includes: racial or ethnic origin, political views, religion, philosophical beliefs, trade union membership, information about sex and sex identity, health, and biometric data that identifies an individual. Criminal convictions are left to national jurisdiction.

Explicit consent

The key for data controllers is to obtain specific consent from those whose data employers manage. Then manage the data, exactly in accordance with the permission granted and for no other purpose other than expressly authorised.

An employer, especially a large employer, will likely need to increase administrative resources to follow the new rules. The person authorized to keep data, the ‘data controller’, will have special responsibilities and will need to demonstrate that rules are being adhered to. The data controller will need to ensure that individuals have a right to privacy over their publicly available information.

In terms of recruitment, it may mean more requests to supply copies of all interview notes or scoring sheets along with any other relevant documents. A subject access request will no longer require a £10 fee.

Explicit consent from job candidates will be needed for them to fill in automated and online application forms.