Brexit and data protection '“ what do you need to be doing as an employer?


Thursday, 13th October 2016, 1:38 pm
Updated Tuesday, 25th October 2016, 7:11 pm
Louise Connacher, director in the employment law department at Lupton Fawcett Denison Till.

Whilst details of Brexit are yet to be confirmed, employers should not bury their heads in the sand about upcoming changes to data protection laws.

The General Data Protection Regulations (GDPR) will apply in all EU Member States in May 2018. The UK will likely still be a Member of the EU at this time and will have to comply. Given the changes to the Data Protection Directive, upon which the UK’s Data Protection Act (DPA) is based, and the amount of cross border trade that is carried out in the UK, any Brexit negotiation involving the UK’s data protection law is expected to be akin to the GDPR provisions. Until the UK leaves the EU, its rights as a Member State shall continue, as will its obligations to follow EU Regulations.

There are a number of significant changes that employers must be aware of. It is advisable employers begin implementing changes now to avoid heavily increased fines for non-compliance – up to 4% of annual worldwide turnover or 20 million euros, whichever is greater.

The new rules require employee consent for processing their personal data to be ‘freely given, informed, specific and explicit.’ This is more onerous than the current laws. Employers will need to be aware of the specific reasons why they process and retain data. The way employee consent is obtained and retained will need to be changed. It will no longer be sufficient to count one off “pre-ticked” boxes as consent.

The rules also make data subject access requests easier. This is the process that allows an employee to request copies of data that is used, stored or shared about them. Employers will now have to respond within one month of the request and will no longer be allowed to charge a fee.

There is also a new self-reporting obligation. Staff breaches of data protection, such a losing a company laptop, must be reported to the Information Commissioner’s office within 72 hours of the breach and failure to do so may result in a fine of up to 10 million euros or 2 per cent of annual worldwide turnover.

This covers just a sample of the changes to data protection. Whatever happens with Brexit, the UK will be expected to comply with the new rules for at least a certain period of time.

The message for employers is to get ahead of the changes. Conduct an audit of current data protection policies to highlight what needs to be changed or implemented to ensure compliance and avoid the hefty fines, before the GDPR comes into force.

If you wish to discuss this article in greater detail, please contact Louise Connacher on 0113 280 2108 or [email protected]