HR professionals handle a wide range of issues from managing organisational change and employee relations processes, to leading diversity initiatives and defending employment tribunal litigation. Since May last year HR professionals have also been grappling with handling employee data in accordance with the GDPR. There have been four key areas of change since the GDPR was implemented. Here’s a glimpse into these issues to which we will return in more detail in future editions of this newsletter.
First, as widely predicted, there has been a sharp increase in the number of employees submitting data subject access requests or DSARs. Often these are submitted in the context of an internal grievance or as part of wider employment litigation. One development we were not expecting is that since the implementation of the GDPR, just occasionally a data subject has made a DSAR just because they are curious to know what data their employer holds on them! Anyone who has been involved in replying to a DSAR will know how time consuming and labour intensive this exercise can be. Employers are needing to put resource into managing more DSARs, whether through upskilling staff to handle them in house or outsourcing them. It is also important to train those on the front line on how to spot a DSAR, as this may not always be obvious.
The other way in which employers have had to adapt their approach since May 2018 is keeping in mind the need to notify the ICO of employee data breaches in more circumstances than before. This is as a result of the test for notifying the ICO being set lower than before; the requirement is to notify the ICO unless the breach is unlikely to result in a risk. Classic accidental mistakes that the ICO will now need to be notified about include sending emails to the wrong employee by mistake, particularly if that email contains any reference to the intended recipient’s health. While asking the actual recipient to delete the email is good practice, in the post-GDPR world this is not enough. Employers also need to think strategically about whether to notify the ICO as given the low threshold it will be the exceptional organisation that has not notified the ICO of any employee data breaches nearly one year on from the GDPR being implemented. Happily the ICO’s notification form is straightforward.
A third challenge for employers since May last year has been whether their employee privacy notices are sufficient for how employee data is being handled on the ground. One key aspect of this has been in the area of monitoring and/or accessing employee emails. Some employers have found that despite their best endeavours in the run up to GDPR, their privacy notices have not quite reflected the reality in detail. This includes when, why, by whom and how monitoring is undertaken, as well as who ultimately has access to the information gathered. Ensuring any gaps are identified and plugged by recording the reasons for employee monitoring in a legitimate interest assessment form as well as updating the employee privacy notice if necessary are important first steps for employers who have found themselves in this scenario.
The final theme emerging around GDPR in the workplace has been an increase in erasure/rectification requests from employees, sometimes after a DSAR. These expanded rights are being used as a tool to expunge unfavourable disciplinary records and otherwise to secure a “clean” reference. An employer is not always obliged to comply with a request on this basis, but the grounds for refusal are complicated and must be carefully considered.
The employment and pensions group are dealing with all these issues on a weekly basis. For more information please contact Khurram Shamsee, Partner and Head of London Employment or Ceri Fuller, Practice Development Lawyer.