Insights from the Bill’s first reading.
It will not have escaped people’s attention that the GDPR is due to come into effect on 25 May 2018. What may have passed you by is that the first draft of the Data Protection Bill received its first reading on 13 September 2017. The Bill is out first real insight as to what will ultimately become the new Data Protection Act 2018, so, what does it say?
Thankfully, there are no nasty surprises, so far. The headlines from the Bill’s first reading for businesses, and business leaders, to be aware of are:
The provisions of the GDPR will remain in force after the UK leaves the EU. For businesses with international reach it will be comforting to know that UK and EU approaches to data protection will continue to be aligned after Brexit;
Employers who process certain categories of personal data (including that which relates to criminal convictions) will need to prepare an “appropriate policy document” which must be updated regularly and made available to the ICO if requested. In practice, employers who introduce and maintain a GDPR-compliant data privacy notice are likely to satisfy these additional requirements;
Data subject rights are considerably expanded under the GDPR. However, the Bill does provide that employers will, for the first time, be able to charge a separate fee to a data subject who request is “manifestly unfounded and excessive” or refuse to respond altogether. We anticipate lots of employers wanting to rely on this exemption and will report further when additional guidance is available.
The Bill creates a number of new offences for any data controllers found to be altering, destroying or concealing information when responding to subject access request. However, it will continue to be possible to withhold information based on one or more of the following:
- Legal privilege
- Management planning information
- Information about the business’s intentions during negotiations with an employee
- Confidential reference
Now that the Bill is well on the way to becoming law, it’s vitally important for employers, of all sizes, to get ahead of the game and put together a plan to avoid the eye-watering fines that can be awarded for non-compliance. Our first seminar is 2018 will be on the GDPR and so if you’d like to register for that, or have any other questions or concerns about the issues covered her, please get in touch with Tiggy or Emma on 01904 520 160 / email@example.com