- The Data Protection Act 2018 (DPA) is the UK’s third generation of data protection law, aiming to modernise all laws surrounding data protection
- It is to be read in conjunction with the General Data Protection Regulation (GDPR), which came into force in May 2018
- Under provisions highlighted in both the GDPR and DPA, employees must give consent for their personal data to be processed
- Both the DPA and GDPR apply to organisations that process personal data, providing key instructions on the best company policies that should be adopted to protect key individual rights
- The GDPR instructs upon a significant fine of €20m, or 4% of the company’s annual turnover, for organisations found to be in breach
- Employers should therefore formulate and implement clear company policies on data protection to be followed by management and staff
- The DPA instructs upon six key principles which should be referred to by all organisations that process personal data
- The Act also outlines specified conditions which can be referred to in the absence of employee consent
- Employees maintain the right to make a ‘subject access request’ to view all information that is held on them from their employer
- Employers must seek permission from their employees to request personal medical documents from their relevant health practitioners, as outlined in the Access to Medical Reports Act 1988
- When recruiting, employers should be careful not to use information on the candidate from social media unless there is a clear reason to do so and allow the candidate to make representations in relation to the content
- Data can be shared with third-party organisations, such as the police, if it relates to an ongoing crime or possible fraud
In a technical note published by the government on 13 September 2018, the Department for Digital, Culture, Media & Sport set out guidance on data protection for organisations in the event that there is no agreement in place when the UK leaves the EU in March 2019.
The note confirms that there will be no change in the UK's data protection standards after March 2019, even if there is no deal. Additionally, UK organisations will continue to be permitted to freely send personal data from the UK to organisations in the EU.
There may be changes, however, to the free transfer of personal data from EU organisations to the UK, because the UK will be classed as a third country after the exit. Free transfers could continue if the UK's data protection is deemed adequate with the EU's. If this decision is not made by the date of the exit, organisations will have to identify a legal basis for the data transfer from the EU organisation to the UK.
More information on how a 'no deal' Brexit will affect data protection can be found in the in-depth section on our Brexit implications employment law pages.