Companies hold extensive data not only on employees but also job applicants and ex- employees. This often includes sensitive information, such as bank details, religious affiliation, racial background as well as sexual preferences.
The GDPR replaces the Data Protection Act 1998 (DPA). One of the key principles underpinning the new regulation is to give individuals control over their data.
Here are the five main changes to note.
1. Making a Subject Access Request (SAR)
Employees have a right to make a subject access request in relation to their personal data. Employees frequently make SAR’S when a dispute arises and are especially common when an employee is contemplating legal proceedings against an employer.
Under the DPA, employers were required to comply with a SAR within 40 days and entitled to charge a fee of £10. There is no fee payable under the GDPR (unless the request is unreasonable or excessive). Also, employers must comply with the request ‘without undue delay’ and within 1 month.
2. Organisations will need to provide more information
At the time of obtaining your data, the organisation must give you a significate amount of information, including: how long it intends to keep the data, if it intends to transfer it to another country, inform you of your right to make a subject access request and that you have a right to have personal data deleted or rectified. This information must be set out in plain language.
3. The right to have data corrected or deleted
Employees will have increased rights to object to certain processing, to have data corrected, limit how their data is used, and the right to be forgotten (have data deleted). Employees may find this useful in the context of disciplinary proceedings.
If you exercise your right to be forgotten, your employer must inform any third party (it has passed the data to) of your request.
4. Consent can be withdrawn
The employer needs to have a lawful basis to process your data. Employers have frequently relied on blanket consent obtained in the employment contract.
The GDPR sets out more rigorous conditions for the use of consent: it must be freely given, specific, informed and unambiguous. It is now easy for employees to withdraw consent and prevent the employer processing data.
5. The right not to be subjected to automated decision making
Employees have the right not to be subjected to decisions made solely by automated means (without human involvement) – this means employers are no longer able to rely on this method to determine shortlisting, performance management thresholds, triggers for sickness absence etc.