Taking effect in May 2018, the General Data Protection Regulation (GDPR) heralds a complete rethink in the way the employers handle our data. It replaces the current Data Protection legislation, and even with the progress of Brexit, GDPR will still become law in the UK. It’s employers who really need to worry about complying with their new obligations under the GDPR, but as an employee it’s also worth while knowing what is going on and understanding what your employer can and cannot do with your data.
GDPR and DBS
The new Data Protection legislation will tighten up when employers are allowed to ask for checks on their employees. There is currently a list of occupations which are subject to DBS checking, but it is not unknown for employers to run checks on everyone just as a background checking process. Under the GDPR this will not be allowed. There are also much stiffer penalties under the GDPR than under previous legislation which should deter employers who don’t change their practices. GDPR isn’t just something which big business needs to worry about; any organisation of any size which stores information about its workers should take responsibility for making sure it falls in line with the new laws.
Finding Out What Information an Employer Holds
Under current Data Protection laws, employers are allowed to charge a Subject Access Fee to any of their employees who request the information held on them. This is usually £10. When the legislation moves over to GDPR, this fee will no longer apply and employers will have to give the employee the information they request within one month. Employees have the right to ask for any mistakes on their records to be corrected, and if employers don’t want to give out information then they must have a good reason for refusal. Most large employers are already updating their policies and procedures to take account of the new GDPR legislation and are trying to make a gradual switch to the new higher standards rather than leaving everything to May next year.
One of the main criticisms of the Data Protection Act was that there weren’t enough sanctions for companies who refused to look after their employees’ data or keep it safely. Under the GDPR the penalties for companies who leave their employees’ DBS certificates lying around in an unlocked cupboard are a lot stricter. The GDPR allows for maximum penalties of 20 million euros, or 4% of the company’s worldwide turnover.
Another main change from the current legislation is that there is a greater onus on the employer to tell their workers why they need pieces of information from them, how it will be processed and how it will be stored. Employers shouldn’t be afraid to ask their employers difficult questions, especially when the data you are handing over is something potentially sensitive such as details of your criminal record or any cautions you might have received in the past.