Data protection – new changes which will shock employers

By Lupton Fawcett director Louise Connacher

Last week, a historical society was fined £500 when a laptop containing personal information about people who had donated artefacts to the society was stolen from an employee’s home.

The laptop was not encrypted, and there were no appropriate policies in place covering employees working from home or using mobile devices.

The Information Commissioner’s Office (“ICO”) made it clear that the fine was low due to the historical society’s financial circumstances – and that most organisations should expect to receive a much higher fine for similar breaches. The ICO has confirmed in the past that where an organisation’s laptop containing personal data is stolen or misplaced, then a fine will follow.

The ICO also warned a council to toughen up its data protection procedures after a social worker left some court documents containing sensitive information about 27 people (including 14 children) on the roof of her car and then drove off. The council was particularly criticised for failing to keep records of data protection training given to temporary staff.

These examples are worrying enough, but the stakes will be raised for all organisations when new legislation on data protection – brought in by the EU General Data Protection Regulation – becomes law across the EU in May 2018.

Even though the UK is preparing for Brexit, the Government confirmed on 31 October that it will be implementing the new legislation. The new rules will apply to all organisations which process personal data, but certain provisions will be of particular importance to employers.
Louise Connacher
– Consent to the processing of personal data will have to be “freely given, informed, specific and explicit”. It is likely that a clause in the employment contract giving consent to processing personal data will not be sufficient in future.

–  Subject access requests will be easier for employees – employers will not be able to charge a fee for subject access requests and will have to respond within one month.

– Right to be forgotten – new rights will allow employees to require their data to be completely erased in certain circumstances.

– Notification of breaches – where data protection breaches lead to unauthorised loss, amendment or disclosure of data (such as in the examples given above), employers will be under a new obligation to notify the breach within 72 hours

Fines will increase from the current maximum of £500,000 to a new maximum of €20m, or 4% of an organisation’s worldwide turnover if higher. To avoid hefty fines, employers should now conduct an audit of the personal data that they hold and the reasons for holding it, ensure that consent to processing data is recorded, review their policies and ensure that staff have been trained in data protection law.

Close