Employment Guide to GDPR

The General Data Protection Regulation (GDPR) will be expressly implemented into UK law through a new Data Protection Act. This will need to comply with the overhaul of European data protection legislation brought about by the GDPR as a result of the rise in the use of technology information systems and digital media as well as social and legal issues relating to privacy and data use.

The GDPR will come into force on 25 May 2018 without the need for specific UK legislation. The UK’s Data Protection Bill (“the Bill”) was published and put before Parliament on Thursday 14 September 2017. The Bill seeks to implement the GDPR in full, covering specific areas which are left to be determined by member states and introducing a GDPR like regime to aspects of data processing technically not covered by the GDPR itself. Although the Bill may be amended, it is unlikely that there will be material changes and it is important to prepare now. The GDPR applies to organisations with a UK establishment where personal data is processed in the context of the activities of any establishment. If this is met, the GDPR applies irrespective of whether or not the data processing takes place within the EU. Processing means doing anything with data, including sharing and deleting it. In short, all UK employers process the personal data of candidates, employees/workers, former employees/workers and consultants,irrespective of the other activities of the business.

This guidance note applies to all businesses. It can be read alongside more general guidance in respect of preparing for the GDPR but is focused on those within the HR community.