A new Data Protection Bill was published on 14 September by the Department for Digital, Culture, Media & Sport. The Bill aims to bring the European General Data Protection Regulation (GDPR) standards into national law ahead of the UK’s exit from the European Union.
As HR professionals prepare for a GDPR compliance overhaul they must now also keep a careful watch on the development of the Data Protection Bill. The Bill not only replicates the GDPR’s standards but it also supplements and defines exemptions from them in a number of areas including HR and employment.
Click to access EEF’s 'GDPR and Data Protection: Essential Guide for HR' and new 'GDPR Compliance Timetable for HR'
Why is there a new Data Protection Bill?
The GDPR is a European Regulation which will have direct effect in the UK from its entry into force on 25 May 2018. National legislation is not required to bring the GDPR’s provisions into force. However, in August 2017 the Government issued a Statement of Intent explaining that it intended to issue a new Data Protection Bill to ensure that post-Brexit the UK will continue to apply equivalent standards to those in the GDPR.
The Bill has now been published and received its first reading in the House of Lords. When enacted, it will replace the current Data Protection Act 1998 ('DPA') and aims to provide a ‘complete data protection system’ applicable to general data covered by the GDPR as well as law enforcement and national security data. Until the UK leaves the EU, the Government has stated that the Bill will operate ‘in tandem’ with the GDPR. Post-Brexit, the Bill will restore a wholly domestic basis to data protection laws.
How does the Bill affect employers and HR?
Although the Bill is likely to be subject to changes as it progresses through Parliament, the current version appears to contain a number of provisions which will impact on HR and employers.
Helpfully, the Bill preserves some existing exemptions under current UK data protection laws (e.g. limited exemptions from individuals' rights to access their data relating to confidential references or management forecast/planning data such as plans for collective redundancies) and extends these exemptions to cover other new individual rights. However, the Bill also supplements the governance requirements of the GDPR, adding an extra layer of compliance.
Of particular interest to employers and HR, is a requirement in the Bill for an ‘appropriate policy document’ to be in place when processing ‘special category’ data (an extended version of ‘sensitive personal data’ under the DPA including data relating to health, racial or ethnic origin, religious beliefs, etc.) on the basis that the processing is necessary for performing or exercising obligations or rights under employment law. This ‘employment law’ legal basis for processing is likely to be heavily relied upon by employers and the Bill appears to now make the need for a policy document an obligation rather than just good practice.
What should employers and HR be doing now to prepare for the Bill and the GDPR?
The Government has referred to the Bill operating ‘in tandem’ with the GDPR (which suggests it will be enacted before May 2018). However, before the final version of the Bill becomes available it will be important to follow its progress and check for developments or changes which could supplement the current compliance obligations set out in the GDPR.
While waiting for the Bill to be enacted, employers and HR professionals must ensure that they are preparing to be GDPR compliant by 25 May 2018.
How EEF can help
To assist with data protection compliance, EEF has published an Essential Guide for HR along with a new GDPR Compliance Timetable which sets out the ‘must-do’ tasks to be completed by HR ahead of GDPR enforcement. Our HR and employment law team will also be delivering a series of seminars 'On the Road to Major Changes’, which will provide an in-depth guide to the GDPR and data protection compliance for HR.