Facebook billionaire, Mark Zuckerberg, founder and Chief Executive of Facebook was hauled over hot coals before the US Government to explain Facebook’s (alleged) breach of data privacy.
Zuckerberg was forced to answer questions about the use of personal data and whether Facebook breached its responsibility to keep this data protected. Questions have subsequently been raised about the regulation of the Silicon Valley big players like Facebook. The allegations consist of whether a partner company based in the UK, consulting firm Cambridge Analytica, harvested the data of 87 million Facebook users without a legitimate aim.
Breach in the UK
Cambridge Analytica reluctantly confirmed it used data from various public sources (including Facebook) to build a profile of voters during the 2016 American presidential election, which in turn was used to publish news and articles to influence voters.
This latest furore surrounding privacy and data protection coincides with the General Data Protection Regulations (GDPR) which come into force on 25 May 2018.
The GDPR will replace the Data Protection Act 1998 and seeks to provide individuals with more control on how their data is being managed and introduces significant fines and penalties for those organisations that breach the regulations.
What has been gleaned from Zuckerberg’s questioning in Washington is the attempt to mitigate what has happened by suggesting that mistakes are inevitable in the running of a business. The Facebook pioneer stated that ‘it is largely impossible to start a company and grow it to a scale without making some mistakes, specifically in relation to privacy’.
Whether this is a reasonable justification for any breach is certainly debatable but the new legislation framework goes some way to setting the scene of what is necessary for compliance in these very circumstances.
Are you GDPR compliant?
In view of the introduction of GDPR, businesses with employees need to have privacy at the forefront of their consideration. It will soon be a requirement for employers to ensure that any data that is held by them is in accordance with the provisions of GDPR.
Out with the old, in with the new
What the GDPR has introduced over and above the old data protection legislation is a principle of accountability. Employers have to evidence their compliance with the principles that protect individuals’ data and will be required to rely on the ‘legitimate reasons’ for processing employees’ personal information.
It is therefore recommended that contracts of employment and staff handbooks are reviewed to ensure that businesses are GDPR compliant.
Our briefing for HR professionals provides practical guidance on what steps you should take to ensure that you are GDPR compliant.
Privacy in a notice to employees
It is also necessary to have a comprehensive privacy notice issued to all employees, workers and consultants. This should set out the way in which the organisation will process any personal information. The privacy notice should be tailored specifically to the business and/or the type of work it carries out and after the employer has undertaken an audit.
During the audit, the employer should identify the following:
- All personal information which the business holds about employees and/or candidates and where it came from
- Ways in the information will be processed
- Identify how long the personal information will be retained for the purpose for which it is collected
- Identify any (third) parties to whom the personal information may be transferred including any international data transfers (relevant for international companies), even for the performance of payroll/benefit obligations
- Identify if there is any automated decision-making within HR processes, for example in recruitment (automated rejection and shortlisting sifting processes/psychometric testing/aptitude testing), and triggers for sickness absence or disciplinary action, attendance bonuses, shift and holiday rostering and employee monitoring
Countdown to GDPR
The clock is ticking in order for businesses to ensure that they are GDPR-ready. The fines that could be levied against organisations for failing to comply with their GDPR requirements have the potential to financially impact organisations. The financial penalties can be significant with up to 20 million Euros or 4% annual global turnover (whichever is higher) being levied.
The Information Commissioners’ Office (ICO) has issued GDPR guidance to assist businesses learn about the changes, as opposed to punishment in the first instance, to ensure that businesses don’t get it wrong. If they do, help is available to remedy any issues.