Data subjects have always had the right to make subject access requests, which we discussed in a previous GDPR Bitesize, click here to read. When the GDPR comes into force, data subjects will have additional rights, which will have significant practical consequences.
Custodians of data?
Employers need to change the way they think about employee data. GDPR shifts the onus to make clear data controllers (in this case employers) are custodians of their data subjects (their employees’) data. If employers apply this approach, the enhanced data subject rights given to employees can seem a more natural consequence, with employers adopting what may be described as a “caretaker” role.
What are the enhanced Data Subject Rights?
- The right to be informed - employees have the right to be provided with clear, transparent and easily understandable information about how employers will use their personal data, and their rights;
- The right to correct or erase information (the right to be forgotten) -
- where employers hold personal data that is inaccurate or incomplete, employees have the right to ask employers to rectify or complete this;
- where personal data has been processed unlawfully, or where it is no longer necessary for the purposes for which it was collected, or where the employee objects to processing (see below) and there is no overriding legitimate interest for continuing to process the personal data, the employee may ask their employer to erase it. This right is not an absolute right, however, and employers can, for example, refuse a request where they need to process the data to exercise or defend legal claims;
- The right to restrict processing – employees have the right to restrict processing of their personal data by asking their employer to limit what they do with it. Where an employee disputes the accuracy of personal data held by the employer or the legitimate interests on which the employer considers that they can process the data lawfully, the employee may ask their employer to restrict processing for the period of time they need to verify that accuracy or to check that their legitimate interests override the employer’s interests. The employee may also restrict processing where processing activities are unlawful or where an employer no longer needs the personal data, but they would like it retained to ensure its continued availability in connection with any legal claims;
- The right to object to processing – employees can object to processing under certain circumstances. Where this happens, the employer must stop processing the employee’s personal data unless they can show that their legitimate ground for processing the employee’s personal data overrides the employee’s interests or where the employer needs to process the data to establish, exercise or defend legal claims;
- The right to data portability– employees have the right to obtain and re-use personal data for their own purposes. This only applies in a limited set of circumstances and we expect will have far less relevance for HR teams than the other rights. It only applies where processing is carried out by automated means, to personal data that the employee has provided (i.e. not any other information) and where processing is based on the employee’s consent or for the performance of a contract. The employee can ask their employer to send them electronically the personal data or to a third party of their choice. Employers can refuse a request if the personal data concerns more than one individual and transferring the personal data in question would prejudice that person’s rights;
- The right to object to automated decision making –Employees have the right not to be subject to automated decision making where this has legal or other significant consequences, except where the employee has explicitly consented to this or where it is necessary for entering into or performing a contract.
What does this means for employers?
These are not simply conceptual rights. There are a number of practical consequences flowing from them, which include:
- The employer’s HR data audit should be identifying areas of data which is past its shelf life. Ideally employers would carry out a data cleanse, to avoid issues arising under the new rights, recognising however that for many employers this would be a huge exercise.
- Data subject rights should be set out in the privacy notice issued to employees, with appropriate tailoring. For example, if you do use automated decision making as part of your recruitment process can you either obtain effective consent or demonstrate that this is necessary for the performance of the contract?
- DSAR response templates should also set out the list of enhanced data subject rights, with these also featuring in an updated data protection policy.
- HR, legal and IT staff should be trained and aware of how to deal with these rights in practice.