The General Data Protection Regulation (“GDPR”) came into effect on 25 May 2018. The GDPR was designed to harmonise data protection law across the EU and greatly increases obligations on controllers and processors of personal data. GDPR has a significant impact on the use of employee and candidate data in particular and as such, all employers should familiarise themselves with it. Many companies were not adequately prepared by 25 May 2018 for the introduction of the new data protection regime. With this in mind, we set out below some of the main compliance elements that employers and HR professionals should focus on in the context of the GDPR.
In order to ensure compliance with the GDPR, it is essential for employers to gather information in relation to the company’s processing of personal data, including details of how personal data is collected and processed and what third parties have access to it.
There are certain core principles of the GDPR: transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity/confidentiality and accountability. It is important for employers to consider whether data collected and used is necessary, relevant and proportionate in the context of these core principles.
One of the most novel features of the GDPR is that it imposes an obligation on companies to be able to demonstrate their compliance with the obligations under the GDPR. Employers must also keep records of all processing activities carried out (often referred to as a data inventory) and regularly update internal policies to demonstrate compliance with obligations under GDPR (e.g. a policy outlining how the controller deals with data subject access requests).
Indentify a legal basis for HR processing
The GDPR requires employers to identify a legal basis for processing by them of personal data. It has been very common for employment contracts to contain a general ‘catch-all’ consent clause to enable processing of personal data by the employer. Under the GDPR, it is difficult to see how such clauses can continue to be viewed as valid forms of consent. In order for consent to be valid under the GDPR, it must be clear, unambiguous, freely given, specific and informed. Given the nature of the relationship between employer and employee, consent in the employment context, and especially for processing which is not optional processing, is arguably not “freely given”. An employee can also withdraw their consent to the processing of his or her data at any time, which places employers in a difficult position. As such, employers should assess the other legal bases which permit processing of employee personal data (e.g. include where the processing is necessary for the performance of the employment contract, required by law or in the employer’s legitimate interests).
Employers should identify where in employment contracts and HR policies consent wording is used and consider if such documents require amendment. If it is considered that consent is the only legal basis on which data can be processed, “GDPR-standard” consent should be obtained through a standalone declaration or other document, separate to the employment contract, which is not linked to the employee’s acceptance of their employment with the employer.
GDPR compliant documentation
For employers, a review of contracts of employment as well as relevant data protection policies and procedures should be completed and should be reviewed on an on-going basis.
As above, the contract of employment, and in particular the data protection and consent provisions set out in the contract, should be reviewed and updated where necessary.
Employers should also ensure they have a data protection policy that sets out how the company complies with its obligations under the GDPR and the records that it maintains in order to demonstrate compliance.
All data protection notices (or privacy notices) that are in use within a company should also be updated to comply with the additional requirements imposed under the GDPR. A data protection notice is a document which informs data subjects (e.g. employees or applicants) of the data relating to them that the company may collect and use and the uses (including disclosures to third parties) the company may make of the personal data in connection with the data subjects application or employment. It also details their rights in relation to that data. Employers should ensure they have both an applicant data protection notice and an employee data protection notice that are GDPR compliant. Such notices should be provided to the relevant data subjects at the time the company collects personal data.
Where a company engages a third party service provider to process personal data on its behalf (an outsourced payroll provider, for example), that third party is regarded as a processor. Among other things, the GDPR requires companies to update their contracts with their processors to include detailed specific obligations. As there are no grandfathering provisions that would make contracts that were compliant with the previous data protection regime compliant under the GDPR, companies need to engage with their processors to ensure that amendment agreements or data processing agreements are put in place if necessary.
Employers are also advised to consider updating their employee data retention policies. The GDPR does not specify the period for which categories of documents containing personal data should be retained by employers. However, and subject to any applicable statutory retention period (for example, in respect of hours worked or parental/force majeure leave), when assessing the period of time that data should be retained, the data protection principles of necessity and proportionality apply. Retention periods should be assessed on a case by case basis by the company. It is important for employers to be comfortable with the retention periods and to be in a position to justify those retention periods.
Subject Access Requests
There are specific changes to the rights that apply to data subjects in respect of subject access requests (“SAR”) under the GDPR. The timeframe for responding to a SAR has been reduced from 40 days to one month. This period may be extended by two additional months in circumstances where the request is particularly complex or where an employer is facing multiple requests at once.
Data subjects are no longer required to pay a fee unless the access request is “manifestly unfounded or excessive in particular because of its repetitive character”. Similarly, an employer may refuse a request where it is “manifestly unfounded or excessive in particular because of its repetitive character”. Neither “manifestly unfounded” nor “excessive” have been defined in the new regulation so it remains to be seen when refusals will be upheld. The burden of proving that a request meets such criteria falls on the employer, so we would advise putting in place or reviewing and updating specific policies and procedures and assessing your company’s ability to isolate data relating to a specific individual quickly.
Data Protection Officer
Employers are obliged to appoint a data protection officer to oversee compliance with the GDPR in three instances: (i) the employer is a public authority or body (excluding courts acting in their judicial capacity); (ii) the core activities of the employer involve regular, systematic and large-scale monitoring of data subjects; or (iii) the core activities of the employer consist of processing, on a large scale special categories of data or data relating to criminal convictions and offences. Where a company is required to appoint a data protection officer, the data protection officer must have certain designated functions, and they are given a form of protected employment status. It is also possible to appoint an external data protection officer on an outsourced basis.
Implications of a breach
The most notable feature of GDPR is the introduction of potentially significant administrative fines for non-compliance. The Data Protection Commission may issue fines of up to 4% of the annual worldwide turnover of the non-compliant undertaking or €20 million (whichever is the greater).
The GDPR also affords data subjects, such as applicants and employees, who have suffered material as well as non-material damage, to bring a claim for compensation, as a result of an infringement.
The GDPR also introduced a general mandatory notification regime in the event of personal data breaches. Employers are required to report personal data breaches to the Data Protection Commission no later than 72 hours after becoming aware of such breach unless the breach is unlikely to result in a risk to the rights and freedoms of an affected data subject. In certain cases, employers are also required to notify the data subjects. Companies should ensure that they are in a position to identify and react to security breaches in a manner which complies with the requirements of the GDPR.
A key part of all GDPR compliance is implementing the data protection policy and related procedures to ensure on-going compliance. This is likely to involve specific detailed training for key staff who are responsible for handling employee personal data, and general awareness training for other staff members. It is important to ensure all staff are familiar with the relevant policies and procedures as well as the timeframes set out for completing certain obligations under the GDPR.