Last month the Government issued its statement of intent to publish a new Data Protection Bill. The Data Protection Bill will bring into law the EU's General Data Protection Regulation (GDPR) which takes direct effect in the UK on 25 May 2018 and will be the most comprehensive overhaul of data protection law in this generation. The new regime for handling personal data has particular challenges for employers in their capacity as data controllers with increased rights for individuals and enhanced fines for non-compliance.
From an employer's perspective there are three key areas to grapple with as we highlight below. We do not expect significant changes to these in a post-Brexit United Kingdom.
Approach to consent
Much has been said about the reliance on consent to legitimise the processing of the personal data of job applicants and employees. Under the existing regime, the Information Commissioner's Office (ICO) has expressed the view that it is not optimal for employers to seek to rely upon consent as it is difficult to establish that consent is "freely given" in the context of the employer/employee relationship. Employers have therefore been encouraged to move away from inserting blanket consent provisions in their employment contracts and instead ensuring they can satisfy one of the other conditions provided for the processing or ordinary or sensitive personal data.
The GDPR reinforces and strengthens this principle by placing an even higher threshold on consent. Consent under the GDPR (whether in respect of ordinary or personal data) is defined as "freely given, specific, informed and explicit" which in practice requires a statement or clear affirmation. It cannot be relied upon where there is a significant imbalance between the position of the data subject and controller. Where a consent provision appears in some broader document, it must be highlighted clearly and the individual should be informed of their right to withdraw their consent.
The ICO's draft guidance on how consent will operate under the GDPR strongly discourages employers from continuing to rely upon consent to legitimise their data processing. Accordingly, employers would be well-advised to update their template employment contracts to remove standard consent clauses, and otherwise to ensure that their processing of employee data satisfies one of the other relevant conditions.
Separately, employee privacy notices will also need to be reviewed to ensure that all relevant information about the employer's data processing is covered. The requirements under the GDPR for a "fair processing notice" are far more prescriptive than under the Data Protection Act 1998.
The rules on data subject access are changing. The timescale for an organisation to respond will be reduced from 40 days to "without delay" and at the latest within one month, although this may be extended by up to a further two months where necessary to take account of the complexity of the request.
The £10 fee has also been abolished and employers will not be able to charge a fee in the majority of cases. This is a significant change. According to the Ministry of Justice's Impact Assessment, the removal of the fee will increase the number of subject access requests by 25% to 40%, including those which are vexatious or frivolous.
The GDPR contains no guidance for employers tackling extensive subject access requests which require significant retrieval exercises, or dealing with requests made to fuel parallel litigation. Responding to these requests is still likely to be expensive and time-consuming, with the penalties for non-compliance increasing. Employers can take limited comfort in the fact that where requests can be said to be "manifestly excessive", particularly in terms of their repetitive nature, a reasonable fee can be charged (based on the administrative cost of providing the information) or the employer may refuse to act on the request at all. What will amount to "manifestly excessive" remains to be seen but the exception is going to be narrow and it will be the employer's burden to demonstrate why the request is manifestly excessive. All in all, this is unwelcome news for those employers who face regular subject access requests from employees and ex-employees in the context of some parallel dispute.
The GDPR also introduces other rights for individuals which employers will need to respect, including an enhanced right of data erasure and a new right of data portability.
Appointment of Data Protection Officer
Under the GDPR there is a new mandatory requirement for certain organisations to appoint an in-house Data Protection Officer. This requirement will apply to public authorities, organisations which process sensitive personal data on a large scale and organisations which carry out monitoring of individuals on a large scale. The majority of large organisations will therefore be caught by this provision.
The DPO will be tasked with giving advice on compliance, monitoring policies and audits, ensuring that documentation requirements are followed and co-operating with the applicable supervisory authority. The DPO will have a hybrid, self-regulating role within the organisation. He/she must be independent and cannot be instructed on how to carry out their tasks. He/she must also report to the highest level of management. In addition, the DPO will have special "protected status" as they cannot be dismissed or penalised for performing their tasks; such protection is novel for UK employers, and goes beyond existing protection available to "whistleblowers". This in turn may create challenges for an employer where there is a genuine need to take action against a DPO, for example, to address legitimate performance concerns.
According to a study commissioned by the ICO into the implications of the GDPR, the vast majority of companies with over 250 employees already employ staff with a job role focused on data protection compliance. In these cases, except for making the necessary changes to the job specification, the organisation should not need to expend significant resources to comply with new requirements. Other organisations will need to recruit to this position, and a DPO position may well command a significant remuneration package to reflect their importance and seniority.
What to do now
Audit how the personal data of employees, former employees, contractors and job applicants is processed to ensure that each aspect of the processing can be justified (on a basis other than consent).
Remove standard consent clauses from template employment contracts.
Update employee and recruitment privacy notices to cover the information around data processing prescribed by the GDPR.
Implement a clear protocol to reduce the burden of responding to subject access requests (particularly for organisations who regularly receive requests).
Consider appointing a Data Protection Officer or update existing job descriptions.
Train and educate staff on their data protection responsibilities.