Contact us | Membership Enquiries 0800 028 0245 | Search

EU General Data Protection Act Regulations

Obligations under the Data Protection Act

The UK government has been clear that, despite Brexit, they will implement the regulations.

Although EU Member States have up to the 25th May 2018 to implement the new rules in their national laws, you need to think about how to plan for the changes for your business now.

Let us refresh the current obligations under the Data Protection Act and what changes are coming into place next year.

Obligations under the DPA

You will need to follow the 8 key principles as set out in the DPA:

  1. Data should be processed fairly and lawfully.
  2. Data should only be obtained for specified and lawful purposes.
  3. Data should be adequate, relevant and not excessive to the purpose.
  4. Data should be accurate and kept up to date.
  5. Data should not be kept for longer than necessary.
  6. Data should be processed in line with the rights of data subjects.
  7. Steps should be taken to prevent unauthorised or unlawful processing of data and against accidental loss or destruction of, or damage to, personal data.
  8. Data should not be transferred to a country outside the European Economic Area unless there is an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Job applicants

Before job applicants even become your employee, you have certain obligations. You should explain to them how you will use the information they have provided as part of the recruitment and selection process. You should not seek information beyond what is necessary for that purpose.

Remember that all information should be kept securely and it should not be disclosed to external parties unless the applicant has consented to this.


Employees should also be aware of what data you have about them in your records, how it is used and whether you will disclose data to other parties.

If you have workplace monitoring in place – CCTV, reviews of phone logs, internet use or email – you should tell them about it and the reasons for it. The ICO warns that covert monitoring is rarely justified.

It is also important to keep information secure through passwords and encryptions, including any portable devices such as memory sticks or laptops.

You need to monitor what records you are keeping, ensuring the information is accurate, not exceeding what is required for the purpose it was collected and has not been kept longer than necessary. If you no longer need the data, dispose of it securely.

Workers’ rights

Workers have the right to access the personal data you are holding about them, the reasons why it is being processed and whether it has been given to other parties. You have 40 days to respond to the request.

Training and policies

It is in the best interests of your business to have a data protection policy in place and ensure that all your employees understand their obligations under the DPA. Training should be provided not only to new starters, but also to current staff to remind them of what they must do to comply with the law.

Introduction of General Data Protection Regulations

As discussed above, the EU General Data Protection Regulations will apply from next year. It may seem a long time away, but you need to start preparing now.

Some of the measures under the Regulations are as follows:

  • In cases of data breaches, for example an accidental loss of data, organisations must notify the relevant data protection authority without undue delay and where possible no later than 72 hours. Data subjects must also be informed without undue delay about breaches that could pose a high risk to their rights and freedoms.
  • A subject may request that their data is deleted if there are no legitimate grounds for retaining the data. This is known as the ‘right to be forgotten’ or ‘right to erasure’.
  • When a subject’s consent is required, they must be asked to give it by means of a clear affirmative action, such as a written statement. Silence or inactivity is not a sign of consent.
  • Organisations must appoint a ‘data protection officer’ if they process sensitive personal data on a big scale, or regularly and systematically monitor data subjects on a large scale.
  • It imposes higher maximum penalties for failure to comply, including fines of up to €20 million or 4% of annual global turnover (whichever is higher).

The clock is now ticking, so make sure you are getting prepared for the changes highlighted above. This will involve updating your internal rules and systems to reflect these changes and training those handling and processing personal data to understand the new requirements.

To obtain further advice on this topic, please download the General Data Protection Regulation Guidance or contact the bira legal team.


Author: Laura Chalkley, Senior Employment Law adviser and Partnerships team leader of Ellis Whittam.