The General Data Protection Regulation (GDPR) is now in force, the Data Protection Act 2018 received royal assent on 23 May 2018, and the new era of data protection has started. However, to the casual observer, it would seem that all that happened was that privacy notices and data processor agreements were scattered about and there was a flurry of emails from organisations to individuals seeking consent to continue contacting them.
So what has actually changed? Admittedly, some privacy notices are now spectacularly long - as expected, the Information Commissioner's Office (ICO) is an excellent example of a very detailed, layered, comprehensive privacy notice. But at first glance, it does not appear as though very much has changed in practice. Businesses can still conduct business, organisations can still employ their employees, direct marketing (especially business-to-business direct marketing) can still happen. And unfortunately, unwanted calls regarding PPI claims will presumably still continue - although these may morph into unwanted calls regarding GDPR claims.
One of the key purposes of the GDPR is to raise awareness of data protection. In undergoing a GDPR-compliance project and preparing a new privacy notice, organisations will have had to address, possibly for the first time, what personal data they obtain, what they do with it and, most importantly, why they use it. And in receiving a bundle of privacy notices and requests for marketing consents, individuals will now be more aware of which organisations hold their personal data and what their rights are in connection with such personal data.
As a result of the increased awareness of data protection, though, it is predicted that more and more individuals will seek to exercise their rights in respect of their personal data. For employers, this means that the organisation will need to have appropriate data protection policies in place in order to cope with such requests. In particular, if an employee makes a subject access request (being a request for access to their personal data), would the employer be able to respond appropriately within one month of the request? It needs to be considered that personal data of an employee is contained not only within the employee's personnel file but could also be found in internal and external emails or in documents stored on an intranet or on a hard drive or in papers contained in a filing system. The employer also needs to be aware that, other than the right to object to direct marketing, none of the individuals' data protection rights are absolute and exceptions are set out both in the GDPR and the Data Protection Act 2018. Organisations should now have appropriate data protection policies in order to cope with such requests and, if not, these should be put in place immediately. No one wants to be the first to receive a big fine…….