As part of our series of articles providing tips for employers ahead of the introduction of the General Data Protection Regulation (GDPR), we consider what changes may be required to policies and procedures.
Employers will be expected to comply the GDPR (which involves significantly more onerous standards and obligations than the current data protection regime) from 25 May 2018. This includes ensuring that data, and consents to data processing, collected before that date is brought into line with the new requirements.
The GDPR has introduced a new principle of accountability and employers now have a positive obligation to evidence their compliance with the data protection principles. As part of this exercise, employers should make time to review their contracts of employment and employee data protection policies and practices to get themselves 'GDPR ready'. Employers should, as a minimum:
1. Review contracts of employment and consent forms to:
- Ensure any data protection provisions to remain included in employment contracts are clear, specific and plainly worded.
- Ensure that if consent is to be requested it is sufficient for the intended purposes.
The GDPR will introduce a higher hurdle for obtaining consent to process personal data, requiring that consent must be unambiguous, specific, informed and freely given via clearly a statement of affirmative action. The usual blanket consents in employment contracts and 'opt out' mechanisms for obtaining consent are unlikely to be effective as the general wording in the clause will be insufficient to comply with GDPR requirements and the employee (particularly one in a more junior role) is unable realistically to choose to reject one particular clause before signing the employment contract.
Employers should consider instead relying on a different valid ground for processing employees' personal data such as where the processing is necessary for the performance of the contract or for the purposes of the employer's legitimate interests. This is because an employee will be able to withdraw consent at any time to the processing if the employer relies on consent as a valid ground for processing data, which would create significant difficulties for the employer.
Where consent is still required, such as when obtaining occupational health reports, then employers should obtain separate consents outside of the contract of employment to deal with the processing of data (and particularly sensitive personal data - to be known as special categories of data under the GDPR) for specific purposes. Clear records documenting the consent and also how it was obtained (to be able to demonstrate the processing is in accordance with the GDPR) will become all the more important. As such, having clear technical and organisational processes in place within HR teams is a must and such processes will need to be kept under review to be compliant.
Employers should be mindful that if consent is sought but the employee refuses then the employer is unlikely to be able to revert to another basis for processing. Hence, employers should think carefully before seeking to rely on consent. Further data obtained by consent carries additional rights for individuals (see below).
For more information about consent under the GDPR, see our article.
2. Introducing (or updating) a data protection policy which includes:
- Ensuring your employees understand:
- why data protection is important
- what personal data is
- The consequences of non-compliance
With substantial penalties for breach, including fines of up to (the higher of) 4% of annual worldwide turnover or #20million, it is important to have a comprehensive data protection policy (alongside any additional privacy notices) which explains your data protection responsibilities to your employees, informs them about your collection and use of their personal data, on what basis and why, and ensures that each person is aware of their individual responsibilities when handling personal data as part of their role.
Policies covering for example, CCTV, social media and IT which are employee facing will need to be revisited as well.
In order to satisfy the accountability requirement however, there must be more than a paper exercise; employees must at the least be trained and compliance kept under review.
Explains in plain language the data rights of employees
The GDPR clarifies and strengthens existing data rights of individuals, and creates some powerful new rights. The new rights are 'the right to be forgotten', 'the right to restrict processing' and 'the right to data portability'. Individuals will need to be informed of their data rights in clear and plain language which is easy to understand and cannot be hidden by employers. Again, having clear processes in place to facilitate these rights will be key to not breaching the GDPR.
In reviewing your procedures to ensure that these cover all the data rights of your employees, you will need to review the capability of your systems to allow you to meet your obligations, for example: how easily will you be able to locate and delete data when asked for personal data to be deleted; in meeting a request for data portability, can you provide the data in a structured, commonly used and machine readable form?
Details the employer's systems for dealing with compliance including applying the data protection principles
Employers should put in place data protection operating, audit and record systems to demonstrate compliance, such as details of (a) the standards expected of staff responsible for processing data; (b) mandatory training (including details of those responsible for overseeing the completion of such training); (c) how, when and by whom regular compliance checks will be carried out to ensure the policy is being adhered to in practice. The use of privacy impact assessments and privacy by design should also be clearly communicated.
In turn, employers will need a system for ensuring data held, including as part of these systems, is accurate and up to date and not kept for longer than is necessary.
Details the employer's systems for detecting and dealing with data breaches
The GDPR will oblige employers to report any personal data breach to the regulator (within 72 hours of discovery) if risk-such as discrimination, damage to reputation, financial loss- to employees is a likely consequence. A breach which is likely to result in high risk to the rights and freedoms of individuals will also trigger an obligation to notify those concerned directly.
The policy should set out clear guidelines on what amounts to a data breach, and a procedure to detect, report and investigate any breach, as well as guidelines for appropriate record keeping.
Set out clear rules and guidelines about how an individual's 'right to be forgotten' will be complied with
The GDPR will provide employees with a new right to require their employers to delete personal data in circumstances where: (a) the data is no longer necessary for the purpose in relation to which it was collected; (b) consent to processing has been withdrawn (if the employer has relied on the employee's consent to process the personal data); (c) the personal data was processed in breach of the GDPR; (d) the personal data has to be deleted to comply with a legal obligation; or (c) the employee objects to the processing and there are no compelling grounds to trump that objection (such as the data being required in legal claims involving the employer).
Details the process via which employees can withdraw their consent to certain types of data processing
If you are relying on an individual's consent to process their data, that consent must be GDPR compliant; employers cannot rely on pre-ticked boxes or silence to assume consent (see above).
The right to withdraw consent should be clearly highlighted to employees. Employers will be obliged under the GDPR to ensure that the process of withdrawing consent is as straightforward for the employee as the process for giving it. Managers and HR teams will need to understand this in order not to inadvertently make the withdrawal process more difficult.
Sets out details of the employer's process for dealing with data subject access requests
Employers should take note of the additional information which must be provided and new requisite timeframe for responding to data subject access requests under the GDPR, i.e. 'without undue delay' and within one month (or three months in cases which can be shown to be particularly complex), and set out a clear process which will assist it to comply with this requirement. A specific subject access policy and training for those who will dealing with them under the GDPR would be advisable.
Any template subject access request acknowledgement and response letters will need to be updated accordingly.
Provides details of the organisation's nominated Data Protection Officer ('DPO')
Public sector employers and private employers who process sensitive personal data on a regular or large-scale basis must appoint a DPO who will be responsible for providing compliance advice and breach notifications. Other employers will benefit from appointing a suitably trained individual as a data champion; any appointment into a DPO capacity will carry with it mandatory obligations under the GDPR which would not apply to a data champion.
Given the scale of the forthcoming changes and the consequences of breach, employers (and third party HR service providers) will benefit from conducting a thorough audit of current data processing systems, practices and documentation to determine what changes are required.
When and how international transfer of data take place
Employers who transfer personal data internationally (including where an employer uses equipment or resources located in another country), will need to inform employees about how and when this occurs and the safeguards in place as well as where those safeguards can be found.
Employers need to ensure that employees do not allow personal data to be inadvertently transferred to another country without the appropriate safeguards being in place and the correct process being followed to ensure the transfer is compliant. The constant use of email, in today's workplaces, could easily give rise to such a breach.