The General Data Protection Regulation (GDPR) came into effect just over a year ago via the Data Protection Act 2018. The regulation epitomises an international shift towards data protection, confidentiality and transparency online. This shift has forced employers to proactively manage the ways in which they handle data; however the question remains whether GDPR has been a success.
GDPR has forced employers to ensure that their employees are not mishandling data that has come into the company’s possession. As a result, having a proactive GDPR policy and the required privacy notices in place is now a ‘must’ for any business even if they have a low head count and a limited client base.
In this respect GDPR has been a clear driver of change in respect of employee data rights.
The rationale behind such policies is that data breaches allow unauthorised people to handle or process data that may contain private information. Subsequently, GDPR has demonstrated the responsibility for employees’ actions that employers have when managing data. This was demonstrated in Wm Morrison Supermarkets Plc v Various Claimants, which found Morrisons vicariously liable for the actions of a rogue employee who had posted personal data relating to approximately 100,000 employees online. Crucially, this case is now heading to the Supreme Court and if the court finds that damages should be awarded to those affected, this will have worrying implications for employers.
The most common complaint that the Information Commissioners Office have received over the last year are those relating to data subject access requests. The abolition of the old £10 fee for such requests has meant that there has been an increase in speculative claims from employees. Without affective policies and strong employer-employee communication, employees are often in the dark over what information the company stores on them.
One year on it remains that there is significant uncertainty when it comes to data protection and how employers must conduct themselves. Employers need to actively invest in compliance and training for their employees in this area whilst being as alert as possible to new legislation and any internal issues arising.
We at Napthens are experienced in assisting employers in limiting their exposure in relation to GDPR. Please feel free to contact a member of our Employment Team if you have any questions in relation to this blog.