Data protection laws in the UK changed when a new European Union law came into force in May 2018, known as the General Data Protection Regulation (GDPR). The UK must comply with this new law, and has promised that whatever happens with Brexit, the UK will continue to comply into the future.
The GDPR has introduced some big changes, but when it comes to the workplace, the new law largely strengthens existing rights, rather than providing new ones. Here are the main legal rights available to individuals under the GDPR:
- the right to be informed about your personal data, processed or held by your employer;
- the right to access your personal data;
- the right to have mistakes corrected within one month, or two months if the request is complicated;
- the right to erasure (this is the so-called ‘right to be forgotten) in some circumstances. This is not an absolute right but it strengthens your employer’s existing duty not to hold identifiable personal data for any longer than reasonably necessary;
- the right to ‘data portability’, in other words, to receive your data in a structured, commonly used and machine readable form, and to be able to transmit it to another data controller (for example, a new employer) without hindrance;
- the right to restrict processing in some circumstances;
- new safeguards to protect people from the risk of damaging decisions taken on an automated basis (that is, without human intervention): and
- new safeguards where an organisation uses automated processing to ‘profile’ personal characteristics. This might be relevant in the future in the use of psychometric testing in recruitment.
The GDPR also imposes new or strengthened duties on your employer, for example to keep records, to report breaches and to meet minimum standards of data protection when designing data systems.
You can find out more about the GDPR and how it affects your rights at work from the website of the Information Commissioners’ Office.