When the GDPR came into force, businesses were at different stages of the compliance journey, with many still working towards becoming compliant with data protection requirements. With the first anniversary of GDPR on 25 May 2019, now is a good time for employers to assess where they are in their data protection compliance plan. This note focuses on the particular data protection issues businesses have as employers, and is aimed at HR departments, employment in-house counsel, and others who gather and process personal data from an employment perspective. We have set out below 5 key GDPR issues for employers.
Employers must ensure that only the minimum amount of personal data necessary for each specific purpose is processed and that it is kept no longer than necessary for the purposes for which it was processed.
Employers should be mindful that poorly managed data retention may significantly increase the burden created by subject access requests (SARs). Given that employers now have just 30 days to comply with these requests, an increased focus on retention can help ensure that:
the time and costs incurred dealing with SARs is no greater than necessary, and
SARs do not flag wider non-compliance issues in relation to unnecessary processing of personal data
Data cleansing systems must be in place to ensure that HR and all line managers etc. who process staff personal data comply with the data retention policy. All staff personal data must be securely deleted/ destroyed, or de-personalised, if there is no lawful basis for processing it.
The increased and serious sanctions for non-compliance with the GDPR (fines of up to 4% of annual worldwide turnover or €20 million, whichever is higher) mean employers must be strict about managing data retention properly. We recommend that employers audit their data cleansing practices to establish whether they are complying in practice with stated data retention periods.
Managing subject access requests
SARs are often made by disgruntled employees or ex-employees in the context of a dispute. If they believe their request has not been dealt with properly, they will generally not hesitate to report this to the Information Commissioner's Office (ICO).
Since the introduction of the GDPR, the number of complaints reported to the ICO has increased significantly. The ICO's most recently reported statistics (December 2018) show a rise in the number of complaints from 9,000 to 19,000 in a comparable six-month period.
It is important to get the SAR process right:
- to avoid the risk of regulatory scrutiny - because if following a complaint about a failure to respond appropriately to a SAR the ICO's investigation reveals that data handling practices are not compliant, the employer potentially faces significant sanctions
- in addition, the ICO may bring criminal proceedings against the company or its directors if steps have been taken to alter, erase, destroy or conceal data with the intention of preventing disclosure
Managing requests to remove data from your systems
Employees have the right to erasure (permanent deletion of data in relation to them) and to restrict/object to processing.
The widespread publicity around the GDPR means that people are more aware of these rights and more likely to exercise them. And, as the post-GDPR statistics above show, they are now also more likely to complain to the ICO if their request is not managed appropriately.
Complying with these requests is a challenge for many businesses. Employers must have robust processes in place on how to manage requests to remove data, and ensure that these are followed strictly. If not, a subsequent SAR could reveal that they have not complied with these requests.
Employers must keep personal data secure to protect the privacy of their staff. To reduce the risk of a data breach, it is important all staff know their data protection and security obligations.
Employers should consider reviewing and updating their security measures regularly as data breaches are becoming more commonplace and perhaps inevitable - and sanctions are potentially very significant. The ICO published figures showing a rise in the number of reported data breaches in a comparable three-month period from less than 700, to over 4,000 after the introduction of the GDPR.
Employers must notify the ICO of a data breach within 72 hours of becoming aware of it, unless it is unlikely to adversely impact on individuals' rights. If however the data breach is likely to have a significant impact on individuals' rights and freedoms, those individuals must also be notified promptly. If employers fail to meet the 72 hour deadline, they must provide reasons for this - and the ICO may increase penalties for late reporting.
So employers must have robust processes for reviewing, documenting and notifying breaches, to enable them to act quickly when they become aware of a data breach.
In addition, the decision in the class action against Morrisons Supermarkets (see our update court of appeal confirms supermarket vicariously liable for data breach) that they were vicariously liable for a data breach by a rogue employee, also sends a clear message that unless and until this decision is reversed (Morrisons is appealing this decision to the Supreme Court), employers should insure against data breach. Because even though they may have done everything reasonably possible to secure the personal data held, they may still be liable for breaches caused by rogue employees.
Demonstrating compliance to the ICO
Accountability is key to compliance with the GDPR. Employers must not only comply with the data requirements – they must also be able to demonstrate compliance if challenged by the ICO.
So throughout the design stage of any policy, process, product or service, data protection risks must be taken into account, which means:
Assessing and implementing appropriate and proportionate technical and organisational measures and procedures from the outset
Having mechanisms in place to ensure that only personal data necessary for each specific purpose is processed
Completing a detailed Data Privacy Impact Assessment (DPIA) when carrying out "high risk" processing, such as CCTV monitoring or processing special category sensitive data in certain circumstances (this may require consultation with the Regulator about whether risk mitigation is adequate). The DPIA process ensures that employers identify, assess and evaluate the risks to their staff from projects or data processing activities
Employers must also maintain a record of their data processing activities, which must be made available to the ICO on request. This record should include information about the purposes of processing, data retention and security measures.