The General Data Protection Regulation (GDPR) comes into effect in May 2018, and will introduce eye-watering financial sanctions for breaching it.
With penalties of up to 4% of worldwide turnover or €20 million (whichever is greater), plus the detrimental effects a breach could have on an employer’s reputation, compliance is an urgent priority.
The Taylor Vinters employment team recently hosted a series of seminars, led by Razia Begum and Rachel Ashwood, on the handling and processing of HR data under the GDPR. Crucially, the sessions outlined the practical steps that employers should be taking now to prepare for the new regime. The seminars provoked interesting discussion amongst delegates and highlighted common themes that are already causing concern for those that handle HR data. This article summarises the key impact of the GDPR for those that handle HR data, together with associated action points.
Under the GDPR, an employee’s consent remains a legitimate basis for processing his or her personal data. However, such consent must be “freely given, specific, informed and unambiguous” and clearly “distinguishable”. Further, it is important that an employee is able to withdraw their consent as easily as they gave it in the first place. In light of the clear stipulations around the form that an employee’s consent must take, it is highly unlikely that blanket data protection consent clauses we are all used to seeing in existing employment contracts and policies, will meet the new requirements.
Action point: Employers should review the basis they rely on for processing employee data (in employment contracts and policies, etc.) and consider whether it will still be appropriate to rely on consent. Where consent is used, it is advisable to do so in conjunction with another valid basis for processing employment data as a “belt and braces” approach, such as where the employer has a legitimate interest in processing the data.
2. Subject Access Requests
The right of employees to request information about the personal data processed by their employer remains broadly similar under the GDPR. However, under the new regime, the starting position will be that employers must respond to a request without undue delay (and, in any case, within one month of receiving the request). Moreover, the current £10 fee for making a request will be abolished. Whilst there are provisions that enable an employer to charge a fee, extend the time limit for responding and even not respond at all, precise guidance is yet to be released by the Information Commissioner’s Office (ICO).
Action point: Employers will need to update relevant policies and procedures to ensure they reflect the new regime. It may also be timely to consider both whether IT systems are “smart” enough to retrieve data (at the right time) or even whether employees should be able to access more personal data online, so as to mitigate the need for them to make Subject Access Requests in the first place.
3. Privacy notices
Under the GDPR employees must be provided with much more detailed information about the personal data that their employers hold. For example, employers must tell employees the purpose for which any personal data is processed and what the legal basis is for doing so. Amongst other things, any relevant data retention policy must be explained, along with the employees’ rights in relation to their personal data, their right to withdraw consent to processing and their right to lodge a complaint with a supervisory authority. Notwithstanding the volume of information, all details must be provided in a manner that is concise, transparent, intelligible and easily accessible.
Action point: The recommended way to convey this information is to issue privacy notices to staff, which are easily understandable and accessible. Any such notice will need to be constructed to ensure it contains all of the mandatory information and issued to staff in advance of the GDPR taking effect. Notices will also need to be kept under review to ensure they accurately capture any new types of data collected or any changed uses for that data.
4. New (and enhanced) employee rights
The GDPR introduces some new employee rights as well as enhancing existing ones. For example, employees will have a new data portability right which will allow them to request that certain personal data is transferred directly to a third party. Further, employees will be armed with the suite of so-called “delete it, freeze it, correct it” rights, which are aimed at giving them more control (in certain circumstances) over how their personal data is processed.
Action point: Employers should familiarise themselves with the new rights to ensure that processes and data management systems are capable of responding to these rights, as and when they are invoked by an employee.
5. Data Protection Officers (DPO)
It will be compulsory for public authorities or private companies involved in systematic monitoring or large-scale processing of sensitive data (e.g. health data or criminal records) to appoint a DPO. The DPO will advise the business on all GDPR matters, monitor compliance, ensure that appropriate data policies and training are implemented and be a point of contact for the supervisory regulator. Even where the appointment of a DPO is not mandatory, it may be useful in any event to appoint someone to this position to demonstrate a commitment to comply with the GDPR.
Action point: First and foremost, employers must determine if the appointment of a DPO is required. If yes, thought should be given to whether this role is assigned to an existing member of staff or whether a new hire is required. If it is an existing hire then what measures need to be put in place to ensure that the role can be carried out without a conflict of interest arising, vis-à-vis their existing duties? Even if there is no legal requirement for a DPO, is a DPO or similar role something that the employer wants to create within its organisation?
6. Lead regulatory authority
Employers that process personal data in multiple EU jurisdictions or data concerning data subjects in more than one Member state must identify which national regulator will be the “lead regulator” for data protection supervisory matters. Such a situation may arise where a country is carrying out processing activities in several Member States and is being investigated. The “lead regulator” will be the one that is based in the country where the employer has its main establishment (or main place where decisions about data processing are made). Once identified, the employer must familiarise itself not only with the general EU-wide provisions of the GDPR, but also any country specific rules that apply in certain sectors, as provided for in the GDPR.
Action point: In some cases, identifying where a business has its key establishment or where key data processing decisions take place will be obvious (for example, where there is a traditional HQ). However, where this is less obvious, businesses should map out where their most significant relevant decisions are made to identify where the relevant lead regulator will be.
7. Data Breach Notification
Under the GDPR, employers must notify data breaches to the relevant supervisory authority within 72 hours of becoming aware of the breach. This applies to all data breaches, except those which are unlikely to cause harm to affected employees or other individuals. Further, where the breach is likely to result in a high risk to the rights and freedoms of employees, the employer must also notify the affected employees “without undue delay“. Whatever the degree of the data breach, employers are required to keep a record of all breaches and allow the supervisory authority to inspect such records as part of any potential audit exercise.
Action point: Establishing a data breach response plan will be key. Employees must be made aware of how to report breaches, to whom and when. Crucially (so as to not deter employees from reporting data breaches), it is key that businesses do not fall into the trap of creating a blame culture. Consideration should be given to the role IT can play in the response plan – from preventing data loss in the first place through to detecting and thereafter “red-flagging” potential breaches.
8. Routine Criminal Record Checks
Although standard and enhanced Disclosure and Barring Service (DBS) checks will still be permitted under the GDPR, employers (as things currently stand) will not be able to conduct routine basic DBS checks on all employees, regardless of their role. Even consent from the individual is unlikely to justify such checks given the unequal bargaining positions of the respective parties.
Action point: It remains to be seen whether legislation will be enacted to change this position. However, if not, employers must cease carrying out routine basic criminal background checks on all employees as a matter of course from May 2018.
Watch this space!
In addition to the obligations under the GDPR, Member States are also expressly authorised to implement national level and more specific rules relating to HR-related personal data. In practice, this means that employers may also need to be mindful of new rules about personal data for the purposes of recruitment, performance of the employment contract, diversity, health and safety, etc. To date, there has been no indication from Member States if and when they will exercise the right to make domestic rules on HR-related data. However, employers should continue to follow any national law developments and watch this space. If Member States do decide to create domestic rules on employment personal data, employers will need to check the legal position under not only the GDPR but also in each Member State where they operate.
The information above gives a flavour of the key changes that the GDPR is likely to have on the processing of employment data and those which our HR delegates seemed particularly mindful about (and rightly so!). Given the significant changes that some businesses will need to implement to comply with the new regime, our firm advice is to begin the process now, as May 2018 is less than a year away. The clock is ticking as we speak.