The General Data Protection Regulation (the GDPR) will come into force on 25 May 2018. This might feel like a long time away on a cold winter’s morning, but ensuring your business is ready to comply by that date is unlikely to be a “quick fix”. The GDPR is complex and, as you will see from our blog series, broad ranging in its scope. In this blog, I’ve summarised what I believe will be the 8 key employment related issues for businesses as they ready themselves for the changes to the data protection regime, and the key immediate action points to consider.
The GDPR has the potential for far greater enforcement penalties than now (there will be more on this in an upcoming blog), and it is therefore critical that the new GDPR obligations are understood and considered at a senior level in the business. Put simply, the GDPR seeks to create a cultural shift in how organisations handle personal data. Many of the principles will be familiar, and some developments have the potential to be of assistance to employers. That being said, there is a much greater focus on ensuring that systems are proactively put in place to ensure compliance. This means that in the vast majority of UK businesses will need to implement new practices.
1. Consent as a legal basis for processing employee data
At the moment, although seeking consent is not the perfect solution (as per ICO guidance), many employers justify processing employee data on the basis of consent in the contract of employment. The GDPR sets out more strict and detailed conditions for the use of consent: it must be freely given, specific, informed and unambiguous. These changes mean that consent obtained in the employment contract (which is often on a take it or leave it basis, particularly for junior employees) is unlikely to be effective. It will need to be as easy for an individual to withdraw consent as to give it, and they must be told of their right to withdraw consent at any time. The onus will be on the employer to show that the employee gave adequate consent. This is likely to require changes to existing employment contracts.
Action point: Assess the legal grounds used for processing personal data at the moment. If you’re currently relying on consent, consider whether another legal ground also applies. If the business proposes to rely on consent going forward, take advice to ensure compliance with the GDPR requirements.
2. Data breach response plan
The GDPR requires mandatory breach reporting. If there is an accidental or unlawful loss of personal data, for example, the employer will have to notify the data protection authority promptly unless there is a low risk of causing harm to individuals. This will require a quick assessment of the likely risk. The individuals themselves will have to be notified if the breach poses a high risk to their rights and freedoms.
Action point: If the business does not have an adequate data breach response programme in place, one should be prepared. Employees will then need to be trained on its requirements.
3. More information will need to be provided
At the moment, employers should provide job applicants and employees with a privacy notice, setting out the purposes for which data is processed and the information needed to ensure the processing is fair. This is often contained in a data protection policy, or called a “fair processing notice”.
Under the GDPR, employers will need to provide significantly more information. For example: how long the data will be stored for, if that data will be transferred to other countries, information on the right to make a subject access request and information on the right to have personal data deleted or rectified in certain circumstances (see “delete it, freeze it, correct it” below). However, this information must also be concise, transparent, easily accessible and given in plain language, which will no doubt be a source of tension here.
Action point: Review current privacy notices and update them to comply with the more detailed requirements of the GDPR.
4. Changes to subject access requests (SARs)
This is an area of potential improvement for employers. That being said, the changes may create additional areas for dispute with employees.
The 40 day deadline to comply with a SAR is to be replaced by an obligation to comply without undue delay and within one month. If the request is complex, there is the possibility of an extension of up to two additional months. Often the most complex SARs will arise in the employment context, and so there may well be scope to take advantage of the longer period for compliance.
In addition, the £10 fee is to be removed. Instead, there will be an ability for employers to request a reasonable fee where the SAR is manifestly unfounded or excessive.
Action point: Ensure that relevant personnel are aware of, and trained in, the new SAR regime. Relevant policies will also need to be updated.
- “delete it, freeze it, correct it” package of rights.
Employees will have increased rights to object to certain processing, to have data corrected or restrict how data is used, and to be forgotten (i.e. have data deleted). Like SARs, if these requests are clearly excessive then an employer can refuse to carry out the request or charge a fee. However, as employees and their advisers become more familiar with these rights, we may see them being used as additional tools in employment disputes. For example, if privacy notices are not fit for purpose, or if processing is based upon ineffective consent, employees may argue that the processing is unlawful and so the data should be deleted. In the right circumstances, an employee could seek to deploy these rights to cause difficulties with an on-going disciplinary process, for example.
Action Point: Ensure relevant personnel understand the legal basis of these developments, and consider the potential impact that failure to comply in other areas could have on these rights.
5. Relationships with data processors
Employee data will often be processed by third party providers, such as payroll companies or providers of cloud services. The rules surrounding the use of data processors, and the contractual requirements, will become more strict. For example, data processors will require documented instructions from a data controller to be able to process data. Data processors will have a duty to comply, with potential liability if they fail to do so. This is a change from the current regime and it is likely that service providers will, in time, seek to impose stricter requirements on the businesses they contract with.
Action point: Ensure that the business understands the roles data processors play in allowing it to fulfil its business functions. Assess whether the current contractual arrangements are fit for purpose.
6. Automated decision making
Employees have the right not to be subjected to automated decision making. For example, in relation to shortlisting, performance management thresholds, triggers for sickness absence and/or attendance bonuses.
Action point: Review whether automated decision making is used in the business and, if so, consider the alternative mechanisms for making these decisions.
7. Data protection officers
Public authorities and private companies that are involved in regular monitoring or the large scale processing of sensitive personal data will be required to have a Data Protection Officer (DPO). The DPO must be independent, and the resulting employment implications should be considered carefully. For example, the ability to dismiss will be more limited. Some businesses may not require a mandatory DPO, but would nevertheless find having such a role helpful.
Action point: Determine whether your business needs a DPO. If so, it may take time to recruit and train an appropriate candidate. If one is not required, consider whether it would nevertheless be appropriate for your business.
8. Be audit ready
Compliance is meant to be by design and default. It will be up to employers to prove compliance, and this will require having records and policies in place (that are organised and easily accessible) to demonstrate compliance. Data protection impact assessments will become increasingly important, and should not be forgotten for employment related matters.
Action Point: Ensure documentary records are in place, and ensure there are clear lines of responsibility. Consider the impact of this on current employees, and their job roles.
When considering these developments as an employer, it is important to remember that, perhaps unlike other categories of data, much employee data will be unstructured. Personal data about employees, or even members of their family (including children), may be exchanged in emails between colleagues, for example. This can present real difficulties in practice, but it is an issue that can no longer be ignored. There will need to be a business-wide strategy as to how compliance with the GDPR will be achieved, and employment data is likely to form a considerable part of that strategy in most businesses.