At our recent webinar on “GDPR Compliance: How UK Employers Can Meet the 25 May 2018 Deadline” we were asked a number of questions via the chat facility. Those questions showed that with less than a year to run and much to do before then, there is still widespread uncertainty as to the detail of the obligations which the General Data Protection Regulations will impose on employers in the UK.
That uncertainty is understandable – although the GDPR is more prescriptive than your average EU Regulation, it is still relatively general and principles-based and leaves the specifics to a large extent unclear. The Government announced plans for new UK data protection legislation earlier in the Summer but then basically went on holiday so we are unlikely to see the granular detail of this until September or October.
Nonetheless, if broad-brush guidance is your thing, some of those questions can be answered just about in detail enough to start your compliance planning now. In this blog and each of the rest of this series we will offer our views on the practical issues raised in a couple of those questions:
What is the impact of the GDPR on the definition of personal data?
Certain key concepts will remain the same under the GDPR. This is one of them. In the employment context, “personal data” means any information that an employer holds about its staff from which they can be identified as individuals, whether directly or indirectly. The definition is broad and it would cover information contained in an employee’s personnel file (e.g. disciplinary and grievance notes, medical records, etc.), emails about a named employee, information contained in HR tools, such as payroll systems, etc., surveillance information, CCTV footage, etc. However, it does have to be “about” the employee to some extent and so it would not include emails or memos of which he is merely sender or recipient if they do not also contain facts about him as an individual.
The GDPR regulates the “processing” of personal data which means it will cover its collection, use, disclosure and destruction.
In the employment context an employer will (as now) be a “data controller” and employees, workers, etc. will be “data subjects”. We do not anticipate that there will be any change to the requirement that to be disclosable, personal data must be kept in a “relevant filing system” – though there will (should!) be very little employee data that an employer holds which is not.
Could you give me an example of what would amount to a “legitimate interest” that would justify processing?
The GDPR sets out the grounds on which it is lawful for data controllers (in this case employers) to process employee data, including where the processing is necessary for the purposes of the “legitimate interests” of the employer or a third party, but except where such interests are in turn overridden by the interests or fundamental rights and freedoms of the employee. This will be particularly important since the GDPR will in broad terms end an employer’s ability to rely on consent in the recruitment papers or employment contract as a green light to process personal data – the view is that such consent is not necessarily voluntarily given and so is void. Legitimate interests (and legal requirement) will then be pretty much all the employer has left in most cases.
We do not yet have any guidance from the Information Commissioner’s Office on what may amount to a legitimate interest, although we understand that it will be issued later this year. The ICO has however already acknowledged in its draft guidance on consent that commercial benefits may constitute a legitimate interest, unless this is outweighed by the harm to the individual’s rights and interests.
Examples of a legitimate interest could include an employer’s need to monitor its employees’ use of email and the internet to prevent fraud or damage to its business, or to process employee data during a grievance process in order to respond to an employee’s grievance.
Employers need to be aware that if they rely on “legitimate interests” to justify the processing of employee data, employees will have the right to object to that processing. This means that it cannot then process the data unless and until it has confirmed to the employee in writing compelling grounds for the processing which override the objection.
It is therefore critical that employers take the time to identify their legitimate interests, consider the scope for objections and whether there are compelling grounds to continue. Ask yourself sternly why you need to collect or use or store each bit of personal data you hold, and what problems might realistically arise for your or the employee if you stopped doing so.
Employers will also have to explain the lawful basis for processing employee data in their privacy notices and when they respond to subject access requests, so the time taken in assessing and recording the robustness of those interests in advance will rarely be wasted.