Most employers will no doubt already be swamped by the variety of commentary on the General Data Protection Regulation (GDPR) which will come into force on 25 May 2018. Most of this is generic, so what we will focus on is what an employer in Northern Ireland needs to do, on a practical basis, in readiness.
We have set out below some guidance to assist in the coming weeks and months in preparation for GDPR.
Employers should assess what personal data (including sensitive personal data) is collected in relation to employment matters, why it is held and the length of time it is retained.
This not only includes data relating to current employees, but is wide-ranging and will include, for example, personal data held which relates to former employees and personal data held in relation to potential new recruits or unsuccessful candidates (CVs, application forms etc).This audit must comply with other NI rules and regulations on data held, such as Article 55 monitoring returns under the Fair Employment and Treatment (Northern Ireland) Order 1998 (FETO) and pay regard to other NI specific legislation such as the Rehabilitation of Offenders (Northern Ireland) Order 1978.
Identify Legal Basis
Once your business has conducted its audit, the legal basis for collecting, processing and retaining that data should then be assessed.
Many employers currently rely on a 'consent' clause within employment contracts, however the validity of employee consent has been queried, due to the imbalance of bargaining in an employment relationship. Additionally, GDPR introduces a higher bar for relying on consent as a legal basis for processing personal data, in that data subjects will be able to withdraw their consent at any time.
As such, employers should either revise and re-issue the 'consent' wording or must try to rely on another legal base for processing personal data, as best as possible, as the current 'blanket' consent clause will be obsolete.
Examples of other legal bases for processing personal data include1:
1. If the data is required for performance of a contract with the data subject. For example, an employment contract;
2. If the data is required for compliance with a legal obligation to which the employer is subject. For example, 'FETO' monitoring forms will include sensitive personal data identifying employees' community backgrounds, as referred above.
Personal data should be held for no longer than necessary. Therefore, your business should also determine what your data retention policy is going to be and the rationale behind it, having regard to the legal bases upon which the data is held. Practically, this will include a review of third parties, to whom the employer will have disclosed information such as insurers (brokers) and private healthcare providers.
Review Policies and Privacy Notices
Contracts policies and procedures
GDPR introduces new and enhanced rights for individuals and, generally speaking, data subjects (e.g. employees) will have greater control over the processing of their personal data.
In any event, any contract which explicitly references the Data Protection Act 1998, or the 'US Safe Harbour' schemes, is also obsolete.
It is therefore critical that contracts, policies and procedures are reviewed and revised in order to meet the new and enhanced rights of data subjects.
There are also enhanced obligations on employers to provide employees with information as to the collection of their personal data, to ensure that the employer's processing activities are fair and transparent.
This information must be provided in an easily accessible form for employees (often referred to as a 'Privacy Notice') and plain language free from 'legalese' must be used.
Employers should therefore review and update existing privacy notices (or introduce privacy notices, where these do not currently exist), to ensure compliance. Drafting must therefore be tailored to the business; precedent or generic drafting should be resisted.
The implementation of GDPR has brought data processing into the spotlight. It is a reality that many businesses will hold and process personal data: certain members of staff will have access to that data and will be required to process it for specific purposes in which case a Data Protection Officer will need to be appointed; and moreover, that person will need to be given meaningful training and real authority.
It is equally important that middle and senior management have a working knowledge of individuals' increased rights under GDPR and the enhanced obligations that rest with the employer, to ensure that personal data is processed correctly.
GDPR has removed the ability to charge a fee for responding to a subject access request (SAR) and the timeframe for responding to a SAR will reduce to one month. This will have a significant impact on litigation in NI where the £10 fee was often used to withhold or delay speculative requests.
Staff members who will assist in responding to SARs should therefore be trained to ensure that they understand the internal process and protocol for addressing and responding to these requests within the required timeframe.
Employers must be able to demonstrate continued compliance to the supervisory authority. This will involve assessing and implementing appropriate and proportionate technical and organisational measures and procedures.
GDPR has enhanced the powers of supervisory authorities to enforce compliance, which includes the power to impose significant fines (of up to €20 million (approx. £17.5 million) or 4% annual worldwide turnover). This does not include the additional financial exposure in respect of claims brought by data subjects for failure to comply with GDPR.
Ongoing compliance should therefore be monitored on a continuing basis, to reduce financial, litigation and reputational exposure.
We would be delighted to assist you and your business in preparation for the implementation of GDPR in May 2018. If you would like us to assist you with conducting an audit of your current employment practices and policy documentation, or for further information, please do not hesitate to contact a member of the ALG team.