Today’s adoption of the new EU General Data Protection Regulation (GDPR) heralds a new dawn in data protection, with far-reaching consequences for employers. For many, there will need to be a wholesale change in culture with a brand new approach to processing personal employee data. It is likely that existing practices will fall far wide of the mark and will require substantial review before the GDPR takes effect in 2018. The importance of this cannot be overstated due to the introduction of extremely onerous sanctions which will heavily penalise breaches of the GDPR.
Although the new regime is challenging, compliance is achievable provided suitable planning and preparation is undertaken, and the correct steps are taken at the right time – beginning with a thorough audit of existing practices for data processing. The UK’s Information Commissioner’s Office (ICO) has published useful guidance for employers on the “12 steps to take now“. In order to meet the new obligations, co-operation in, and understanding of, the issues across the business is critical and employers are therefore likely to need Legal, HR, IT and Compliance teams to take an integrated approach.
Red flags for employers
The most important issues for employers, potentially involving changes to existing practices and/or new and significant administrative burdens, will include:
- Grounds for processing employee data need to be audited: Employers will need to carefully consider the basis on which they process employee data. Employee consent to processing will almost certainly be invalid in the employment context, and, in any event, can be withdrawn at any time. Grounds which have been historically relied on, such as the employer having a legitimate interest in the data processing, will be subject to challenge due to a new right for employees to object to processing on this ground which cannot be overridden unless the employer has compelling legitimate grounds for the processing.
- Data subject access requests will be easier for employees: Employees will be able to make data subject access requests without restriction and without payment of a fee, unless the requests are manifestly unfounded or excessive. Employers must respond without ‘undue delay’ and no later than 1 month (subject to a 2 month extension for complex/multiple requests). At present, there are no exemptions (even on the grounds of legal privilege) which an employer can rely on to avoid provision of the employee’s personal data.
- Extensive information will have to be given to employees when obtaining personal data: An administratively onerous net is cast over employers with the requirement to provide an extensive list of information to employees at the point when employers obtain their personal data.
- Routine criminal records checks may not be allowed: Employees may have to review any policy of routinely conducting standard (ie not enhanced) criminal records’ checks. Under the new regime this appears to be unlawful on the basis that there is no requirement under UK law to carry out these checks.
- Employees have new rights to erasure and rectification of their personal data: Employers must promptly erase an employee’s data if one of a number of ground applies, including that the data is no longer necessary for the purpose for which it was collected. Where data is alleged to be inaccurate, employers will also have onerous responsibilities to check and rectify the data and will be restricted as to how it is used in the interim.
- Employees have the right not to be subjected to automated decision making: Unless it is necessary for entering into, or performance of, a contract between the employer and employee, is authorised by EU or UK law or is based on the employee’s explicit consent, employees have the right not to be subject to automated decision making, including profiling if it impacts on them legally or significantly. This is likely to apply to matters such as automated shortlisting; performance management triggers for sickness absence; attendance bonuses; holiday or shift rostering. Employers will therefore need alternative mechanisms for decision making if challenged.
- Employers must notify any data protection breaches within 72 hours: Employers will have to notify the relevant national data protection authority (in the UK, the ICO) within 72 hours of becoming aware of a data protection breach resulting in unauthorised loss, amendment or disclosure of data, unless the breach is unlikely to result in a risk to the rights of the employees. If there is a high risk to employee rights employers will also have to promptly communicate the breach to the employees individually.
- Employers must be audit ready at all times: Employers are expected to set up systems in a way which ensures compliance by design and default – restricting the data, use and access. The onus is on employers to prove compliance and they must keep records and have policies in place to demonstrate that.
- Data protection standards may be ‘ramped up': The long awaited harmonisation arrangements mean national supervisory authorities will be required to co-operate, assist each other in performing their tasks, provide mutual assistance and to actively take steps to achieve consistent application throughout the European Union. On the basis that it is unlikely that member states with stringent laws on data processing will want to compromise their protection, this may lead to a ‘ramping up’ of data protection across Europe to the highest denominator. The concept of lead supervisory authorities for cross-border processing is also being introduced which may be administratively beneficial for multi-national organisations; however, as the national supervisory authority will remain competent in a number of circumstances, it will remain to be seen how effective having a lead authority is in practice.
- Transfers of data to third countries may be easier: Under the new regime, personal data may be transferred to a third country or an international organisation where there is a Commission finding of adequacy, if appropriate safeguards are in place eg binding corporate rules or standard contractual clauses adopted by the Commission or the ICO, or if one of a number of prescribed derogations is met. The recent impact of the Schrems case (which declared the Safe Harbour regime ineffective) will therefore potentially be resolved if the EU-US Privacy Shield is given a final finding of adequacy.
- Sanctions are extremely onerous: Infringements relating to matters including the basic principles for processing (including conditions for consent) and the rights of data subjects will attract maximum penalties of €20,000,000 or 4% of total worldwide annual turnover, if higher.
- Appointment of a DPO may be required: must do so if they are a public authority, are required to do so by local law or have core activities which require regular and systematic monitoring of individuals on a large scale or they carry out large scale processing of sensitive data or criminal records. The DPO is expected to be an expert in data protection law and will have significant responsibilities in ensuring compliance with the GDPR.With the regulation expected to enter into force in 2018 (and no need for national implementing legislation), employers would be wise to use this lead-in period to fully analyse their existing data processing habits, question what data collection and processing is truly necessary for the employment relationship and introduce new policies and procedures to manage the data.
With the regulation expected to enter into force in 2018 (and no need for national implementing legislation), employers would be wise to use this lead-in period to fully analyse their existing data processing habits, question what data collection and processing is truly necessary for the employment relationship and introduce new policies and procedures to manage the data processing cycle so that they can enter 2018 with their house in order, fully equipped to address the data processing challenges ahead.
There is no doubt that the arrival of the GDPR is timely, coming at a point when information and communication technologies now underpin all aspects of the employment relationship and when employee awareness of individual privacy rights is high. Employers who have previously taken a more pragmatic view of compliance for employee data, prioritising protection of consumer and customer data instead, can no longer afford to do so.