On 25 May 2018, the Data Protection Act was replaced by the General Data Protection Regulation (UK GDPR). There are no exemptions based on a size or sector — all organisations must comply with its requirements in full or face a hefty potential fine. On the whole, the rights individuals enjoy under the UK GDPR are the same as before but with some significant enhancements.
- The Data Protection Act 2018 (DPA) is the UK’s third generation of data protection law, aiming to modernise all laws surrounding data protection.
- It is to be read in conjunction with the General Data Protection Regulation (GDPR), which came into force in May 2018.
- Under provisions highlighted in both the GDPR and DPA, employees must give consent for their personal data to be processed.
- Both the DPA and GDPR apply to organisations that process personal data, providing key instructions on the best company policies that should be adopted to protect key individual rights.
- The GDPR instructs upon a significant fine of €20m, or 4% of the company’s annual turnover, for organisations found to be in breach.
- Employers should therefore formulate and implement clear company policies on data protection to be followed by management and staff.
- The DPA instructs upon six key principles which should be referred to by all organisations that process personal data.
- The Act also outlines specified conditions which can be referred to in the absence of employee consent.
- Employees have the right to make a ‘subject access request’ to view all information that is held on them from their employer.
- Employers must seek permission from their employees to request personal medical documents from their relevant health practitioners, as outlined in the Access to Medical Reports Act 1988.
- When recruiting, employers should be careful not to use information on the candidate from social media unless there is a clear reason to do so and allow the candidate to make representations in relation to the content.
- Data can be shared with third-party organisations, such as the police, if it relates to an ongoing crime or possible fraud.
- See our 'how to' guides for practical information on data protection.