Rachel Ashwood and Shelley King outline key implications for charities arising under the impending new General Data Protection Regulation
As most readers will now be aware, the provisions of the General Data Protection Regulation (GDPR) will come into effect in May 2018.
Much has been said about the likely impact of the GDPR on charity fundraising activities. However, less has been said within the charities sector about how the new data processing rules will affect the way in which relevant organisations will need to modify the way in which they handle any data relating to their staff or volunteers (HR data).
This article sets out some of the key GDPR issues that those handling HR data must be aware of.
Under the GDPR, consent remains a legitimate basis for processing HR data. However, such consent must be “freely given, specific, informed and unambiguous” and clearly “distinguishable”. Also, any member of staff or volunteer (collectively referred to in this article as employees) must be able to withdraw their consent as easily as they gave it in the first place. In light of the clear stipulations around the form that an employee’s consent must take, it is highly unlikely that blanket data protection consent clauses in existing employment contracts and policies, will meet the new requirements.
Action point: Organisations should review the basis they rely on for processing HR data and consider whether it will still be appropriate to rely on consent (this may be possible in one-off cases) or whether it can rely on another valid basis for processing HR data.
Subject Access Requests
The right of employees to request information about the personal data processed by their employer remains broadly similar under the GDPR. However, under the new regime, the starting position will be that employers must respond to a request without undue delay (and, in any case, within one month of receiving the request). Moreover, the current £10 fee for making a request will be abolished. Whilst there are provisions that enable an employer to charge a fee, extend the time limit for responding and even not respond at all, precise guidance is yet to be released by the Information Commissioner’s Office (ICO).
Action point: Employers will need to update relevant policies and procedures to ensure they reflect the new regime.
Under the GDPR employees must be provided with much more detailed information about the personal data that their employers hold. For example, employers must tell employees the purpose for which any personal data is processed and what the legal basis is for doing so. Amongst other things, any relevant data retention policy must be explained, along with the employees’ rights in relation to their personal data, their right to withdraw consent to processing and their right to lodge a complaint with a supervisory authority.
Action point: The recommended way to convey this information is to issue privacy notices to staff, which are easily understandable and accessible. Any such notice will need to be constructed to ensure it contains all of the mandatory information and issued to staff in advance of the GDPR taking effect.
New (and enhanced) employee rights
The GDPR introduces some new employee rights as well as enhancing existing ones. For example, employees will have a new data portability right which will allow them to request that certain personal data is transferred directly to a third party. Further, employees will be armed with the suite of so-called “delete it, freeze it, correct it” rights, which are aimed at giving them more control (in certain circumstances) over how their personal data is processed.
Action point: Organisations should familiarise themselves with the new rights to ensure that processes and data management systems are capable of responding to these rights.
Data Protection Officers (DPO)
It will be compulsory for public authorities or private organisations involved in systematic monitoring or large-scale processing of sensitive data (e.g. health data or criminal records) to appoint a DPO. The DPO will advise the organisation on all GDPR matters, monitor compliance, ensure that appropriate data policies and training are implemented and be a point of contact for the supervisory regulator.
Action point: Organisations must determine if the appointment of a DPO is required. If yes, thought should be given to whether this role is assigned to an existing member of staff or whether a new hire is required. Even if there is no legal requirement for a DPO, is a DPO or similar role something that the organisation wants to create?
Data Breach Notification
Under the GDPR, employers must notify data breaches to the relevant supervisory authority within 72 hours of becoming aware of the breach. This applies to all data breaches, except those which are unlikely to cause harm to affected employees or other individuals. Further, where the breach is likely to result in a high risk to the rights and freedoms of employees, the employer must also notify the affected employees “without undue delay“. Whatever the degree of the data breach, organisations are required to keep a record of all breaches.
Action point: Establishing a data breach response plan will be key. Employees must be made aware of how to report breaches, to whom and when.
The information above gives a flavour of the key changes that the GDPR is likely to have on the processing of employment data. Of course, the GDPR will affect all types of personal data that an organisation may process (be this related to supporters, alumni, clients, suppliers or others). The GDPR offers a great opportunity for organisations to showcase a high standard of personal data protection, which can in turn lead to greater internal efficiency and a chance to build a stronger pool of engaged staff, supporters and donors.