Data Protection and General Data Protection Regulations (GDPR)

In simple terms GDPR is a legal framework that sets guidelines for the collection and processing of personal information from individuals. The main UK legislation governing data protection is the Data Protection Act 2018 (DPA). The DPA reflects the General Data Protection Regulation (GDPR).

Your employer should appoint a Data Controller – this is someone within the organisation who is responsible for deciding how and why personal data is processed. The Data Controller is also responsible for ensuring that the key principles under GDPR are complied with.

The UK GDPR sets out seven key principles:

• Lawfulness, fairness and transparency.
• Purpose limitation.
• Data minimisation.
• Accuracy.
• Storage limitation.
• Integrity and confidentiality (security)
• Accountability.

Your employer should have a GDPR policy in place which sets out how they will handle any data that they hold about you.

One particular right that employees should be aware of under the GDPR is to request a copy of personal data that their employer holds about them, which is called a data subject access request. This is commonly used where there are contentious issues involved, particularly in advance of bringing tribunal proceedings, but are not limited to such occasions and can be requested at any time. If a request is made, your employer should provide the information requested within 30 days, however it is advisable to set out the scope of the information requested, as if this is too broad your employer may be entitled to request an extension or argue that the request is unreasonable.

The Information Commissioners Office (ICO) is an independent body which promotes and enforces the DPA in the UK. If you have concerns as about how your employer is holding or processing your data, you can lodge a complaint with the ICO.