Written by Martin Pratt
We are less than nine months away from one of the biggest compliance hurdles human resources teams have faced in living memory – the advent of the General Data Protection Regulation (GDPR). This new law will represent the biggest shift in data protection law since the advent of the Data Protection Act 1998 and, although many of the concepts and procedures remain the same or very similar to the old law, the regulatory burden and penalties for getting it wrong will grow enormously.
Under the GDPR, financial penalties for a data protection breach will become a potentially eye-watering 4% of worldwide turnover or €20 million – whichever is the greater. In that environment the importance of making sure your organisation doesn’t breach the rules and, if something does go wrong, to stay on the correct side of the ICO by notifying them within the newly mandatory 72 hours cannot be overstated.
So what are the six key steps employers need to take before next May’s implementation date?
1. Stop relying on data protection consents in your employment contracts (or elsewhere)
The GDPR mandates that consent for the processing of personal data, in the absence of reasons otherwise justifying it, must be ‘freely given, informed, specific and explicit’. At the moment many employers have a general “catch all” data protection consent provision in their employment contracts but it is very doubtful these will be effective going forward. In its draft guidance on GDPR consent the Information Commissioner’s Office (ICO) said –
“… if for any reason you cannot offer people a genuine choice over how you use their data, consent will not be an appropriate basis for processing. This may be the case if, for example, you are in a position of power over the individual – for example if you are a public authority or an employer processing employee data [my emphasis]”.
So employers cannot rely on employee consents for processing data and will need to look at other justifications for doing so. Justifications can be that processing is necessary for the performance of the employment contract, or to protect the ‘legitimate interests’ of the employer, or that it is necessary for a specific legal obligation – such as the requirement to send employee liability information to a transferee under TUPE. Most day-to day HR operations should be covered by these justifications.
Far more problematic will the collection of sensitive personal data. If you previously collected data like civil partnership status, health conditions or criminal convictions, you will now have to directly justify why you need this information in order to continue doing so. If the data is not relevant to the role or management of the worker (do you need driving licence details in a desk based job?) then you may find it impossible to justify or get a consent to collect it. I have seen employers monitor employee weight for workplace health reasons – this will not be lawful under the GDPR unless there is a legitimate organisational reason for it.
What to do now: Audit the personal data you hold on employees. Employers need to closely examine what employee data they are processing and why. If you don’t have one of the legitimate reasons to collect the data (i.e. have a legitimate interest or legal requirement to do so, or you need to do so in order to properly perform the employment contract) then consider whether you should stop, and delete the unnecessary information you already have, in order to cease your reliance on soon-to-be ineffective employee consents.
2. Issue ‘Privacy Notices’
As a result of the GDPR, employees need to be given far more detailed information about how their personal data is being used by their employers. Not only must employers tell their staff why they are holding personal data, they must (amongst much else) also detail the legal basis for doing so, the organisation’s data retention policy, and the right of the employee to make a complaint to the ICO. Furthermore this information must be given in a manner that is concise, transparent and easily accessible.
What to do now: Prepare straightforward and simple “privacy notices” to give to employees. Such a note to all staff, containing the mandatory information, and issued well in advance of the GDPR’s implementation next May, will ensure compliance with this new requirement.
3. Make sure you have procedures in place to immediately notify the ICO of any data breach
Currently there is no express obligation in the UK to notify the ICO in the case of a security breach of human resources data, although the ICO takes the view that it is required in serious cases. Going forward, however, nearly all data breaches must be reported to the ICO within 72 hours. Furthermore, if the breach is likely to effect the rights and freedoms of an employee, then that employee must be notified “without undue delay”.
What to do now: Put in place an action plan to respond to breaches and consider appointing a Data Protection Officer to co-ordinate it (see below). Employees should not be deterred from reporting breaches, so consider how you will encourage employees to report when, for example, they lose a memory stick on the bus. It is more important to know in order to avoid a penalty from the ICO than to discipline the employee – although common sense should be applied to “serial offenders”.
4. Be prepared for more Subject Access Requests
Subject access requests are controversial in employment law because they are frequently used by disgruntled employees (or ex-employees) to fish for information to be used in employment tribunal claims. This situation is likely to continue and the number of requests increase.
The previous (nominal) deterrent of a £10 fee will be abolished. Employers will have to respond to requests within one month rather than the previous 40 days – important in the context of the three-month time limit on most employment tribunal claims. The GDPR does contain provisions that, theoretically, allow employers to charge a fee, extend the one month time limit for responding, and even not respond at all, but it is almost inevitable that these provisions will be interpreted very narrowly and will not be an escape route for HR teams reluctant to comply.
What to do now: More requests means more inconvenience unless your IT systems are able to easily retrieve the personal data sought by the relevant employee. A review of systems for retrieving personal data is a must and employers might also consider whether their staff should be able to have access to more of their personal data through online portals – making a Subject Access Request unnecessary.
5. Consider appointing a Data Protection Officer
Unlike Germany, there is no obligation in the UK for employers to have a Data Protection Officer (DPO). Under the original GDPR proposals, it was envisaged that all large companies would have to have a DPO but that requirement has been scaled back so that only public authorities and organisations that systematically monitor or control large sets of personal data (e.g. health records) will have to have one. Even if an organisation is not required by the GDPR to have a DPO they may like to consider appointing one to show a commitment to comply with the new law, to ensure compliance and give training, draft policies and procedures, to be a point of contact with the IPO and to advise the business on the GDPR generally.
What to do now: Decide whether you should appoint a DPO from within your existing workforce or otherwise. If you decide to recruit internally, determine their training requirements, and what the role will involve, ensuring it does not interfere or create a conflict with their existing tasks.
6. Be aware of new employee rights
The so-called “right to be forgotten” has received a lot of attention in the context of social media. It is unlikely that employees will be able to insist that every single email that mentions them be deleted but where, for example, an expired written disciplinary warning remains on file, the new right to ask employers to ‘delete it, freeze it, correct it’ becomes very relevant.
What to do now: Get to know the new ‘delete it, freeze it, correct it’ data rights available to employees from next may and make sure your systems are capable of responding to them if necessary.
Contact the Author