The proposed EU General Data Protection Regulation (GDPR) will have a far-reaching impact on employers, and means many organisations will have to undertake a wholesale review of their data procedures before the GDPR takes effect in mid 2018.

Although the new regime has many aspects which may at first blush be seen as challenging, in practice it may not change too much, and what is changed can easily be complied with provided suitable plans are put in place now. The first plan is undoubtedly a review of the organisation’s existing data processing practices.

The Information Commissioner’s Office (ICO) has published a helpful briefing “12 steps to take now” which will assist with this process as well as provide guidance on the central issues.

KEY ISSUES TO CONSIDER

Extensive information will have to be given to employees when obtaining personal data from them

This will require employers to give employees information on their identity, how they intend to use the data, why the data is being processed, the data retention periods and how to complain to the ICO. A guidance code is being drawn up by the ICO on this, but potentially it will require employers to provide an extensive list of information to employees at the point when employers obtain their personal data.

What are the legal grounds for processing employee data?

Consent to data processing in an employment contract will almost certainly be invalid, and could be withdrawn at any time given employees will have a new right to object to processing where consent is used as the legal basis for processing their data.

Data subject access requests (DSARs) will be easier for employees

Employees will no longer be required to pay a fee to make a DSAR. Employers must respond without ‘undue delay’ and no later than one month after the DSAR is made (rather than the current 40 days). However, it is not all positive for employees, as employers can obtain a time extension for complex or multiple requests and the GDPR will introduce grounds for refusal if the request is manifestly unfounded or excessive. If employers wish to refuse a request, they will need policies and procedures in place to enable them to demonstrate why. Employees will be given the right to require data is deleted or rectified.

Employees will be entitled to check data (by making a DSAR) and then demand it is deleted on one of a number of grounds (for example, if the data is no longer necessary for the purpose for which it was obtained). Where data is alleged to be inaccurate, employers will also have to check and, if necessary, amend the data and they will be restricted as to how to use such data in the interim.

Employees have the right not to be subjected to automated decision making

This is likely to apply to matters such as shortlisting, performance management triggers, triggers for sickness absence, attendance bonuses, and holiday or shift rosters where the decisions are automated. Employers will therefore need to consider alternative mechanisms for such decisions.

Routine criminal record checks may not be allowed

Although enhanced DBS checks will still be permitted, if employers adopt a routine policy of conducting DBS checks on all employees regardless of role and whether or not there is an English legal requirement to that effect, this may be unlawful under the GDPR.

Processing children’s data

The GDPR will introduce special protection over children’s personal data, and any organisation which processes data about children (likely to be those under 13) will need a parent or guardian’s consent.

Appointing a data protection officer (DPO)

Public authorities and those organisations which regularly or systematically monitor individuals or process sensitive data or criminal records on a large scale will need to appoint a DPO. Other organisations may decide a DPO is advisable to ensure compliance with the GDPR.

Audits

The GDPR envisages changes to employers’ processes, and expects that employers (and other data processors) should be “audit-ready” at all times, meaning that every employer’s systems will need to be set up to ensure compliance by design. The GDPR will introduce a legal requirement for privacy by design and the onus will be on employers to prove compliance. Records will need to be kept and policies and procedures will need to be in place to demonstrate this.

Penalties

The importance of compliance with the GDPR when it is enacted cannot be overstated. Breach of the GDPR may lead to onerous sanctions which will penalise compliance failures heavily. Infringements of any of the basic principles for processing (including conditions for consent) and the rights of data subjects will attract maximum penalties of €20,000,000 or 4% of the organisation’s total worldwide annual turnover, if higher.

Furthermore, employers will be required to notify the ICO of any data protection breaches within 72 hours of becoming aware of a breach resulting in unauthorised loss, amendment or disclosure of data, unless the breach is unlikely to result in a risk to the rights of the employees. If there is a high risk to the data protection rights of any affected employees, employers will also have to communicate the breach promptly to the employees individually. Failure to notify a breach when required to do so could result in a fine in addition to any sanction for the breach itself.

STEPS TO TAKE NOW

The GDPR is likely to come into force in 2018, without the need for further legislation (subject to the Brexit vote). Because the provisions of the GDPR have a very wide-ranging effect in relation to data which is processed in the EU, it is expected that broad compliance with the GDPR would be required in any event, should the vote be to leave. Against this background employers should:

  • analyse their existing data processing habits;
  • question what data collection and processing is truly necessary for the employment relationship;
  • introduce new policies and procedures for data processing which comply with the requirements of the GDPR; and
  • consider if they need a DPO, if they do not already have one and whether the scope of any existing role would need to be amended.

Employers who have taken a more laid back or pragmatic view of employee data protection can no longer afford to do so without risk.