In 2016 an EU General Data Protection Regulation (GDPR) was passed by the European Parliament. The regulation is due to come into effect in May 2018 and should become part of UK law at that point, but Brexit may change this, at least after March 2019 if Article 50 is triggered by March 2017. The government has so far indicated that we should assume that the GDPR will come into force in the UK, which will still be a member of the EU in May 2018. We advise you plan for the changes and make sure you update your Data Protection policy to reflect the changes and your employees are made aware of the updated policy.
For employers, the GDPR is important as it will change the rules regarding consent by employees to processing of their data. There will also be changes to data request processes, the introduction of the ‘right to be forgotten’ which will allow requests for erasing information in certain circumstances, and the ‘right to rectification’ allowing employees to insist, in certain circumstances, on making changes to their personal information. Increased penalties for non-compliance will apply.