In the context of an escalated General Election, Article 50 being triggered, Mrs May’s commitments to leave the single market, talk of new trade agreements with countries outside of Europe, and news that several banks will be moving staff to continental Europe, it might be easy to forget that no matter how Brexit negotiations play out, the General Data Protection Regulation (GDPR) will become law in this country, as well as across the rest of Europe, on 25 May 2018.
Even once we have Brexited there is much to suggest that our privacy laws will need to stay the same or similar to the GDPR, to enable businesses trading across continental Europe to continue doing so without the need for complicated and cumbersome alternative arrangements to be put in place. In addition, one might arguably consider the protection of employees’ information to be a worker’s right which the UK Government has indicated will be protected post-Brexit.
It is essential to act now as the GDPR will affect many parts of your business, from HR records to customer list and contact details, all of which will be covered by the new rules.
The GDPR develops many of the concepts with which we are familiar under our current data protection law but also introduces new concepts. One significant change is the very considerable increase in potential penalties, which will jump from the current maximum of £500,000 to the greater of €10 million and 2% or €20 million and 4% of the annual total worldwide turnover of the undertaking, depending on the type of breach.
Are you allowed to hold and share data about your employees?
Currently an employer needs a lawful reason to be able to process data about its employees. Many employers rely on the assertion that the employees have consented to that processing, often via a clause in their contract of employment. This is despite the fact that the UK Information Commissioner and the EU Working Party have made it clear that they do not consider that consent can be genuinely freely given in an employment context where the alternatives to giving consent are not being offered the job or having any other penalty imposed. The GDPR expressly states that consent may not be used if there is a significant imbalance between the parties and expressly refers to the employment context as such an example. Therefore, although the concept of consent under the GDPR remains similar to the current requirements in that consent must be freely given, specific, informed and the positive indication of the wishes of the employee, it is highly unlikely that genuine consent (for data protection purposes) can be given under the GDPR in an employment context.
Even if consent can genuinely be given in the first place, employees will need to be told that they have the right to withdraw their consent and the way of doing that will have to be as easy as giving it in the first place, so a simple note to their manager or HR will suffice. Employers will then be left with a fundamental problem: as soon as an employee withdraws their consent, the employer will be unlawfully processing their data unless there is another lawful ground to rely upon. The advice therefore is not to rely on consent but rather to consider it a potential, if unreliable, backup to other lawful grounds for processing.
Employers are allowed to process data in order to comply with their legal obligations or to observe the terms of an employment contract. These grounds are helpful in respect of some employee information, particularly relating to payroll, but they clearly do not cover many documents that one typically finds in the personnel files, such as appraisals. It is predicted that the most widely used lawful ground for processing will become what is known as the legitimate interests ground. However, there are limitations on this ground as it only allows processing of data which is necessary for the purposes of the employer’s legitimate interests and only where those interests should not be overwritten by the rights and freedoms of the employee; in other words, a balancing exercise has to be conducted between the interests of the employer and the interests of the employee.
Several principles are tightened up under the GDPR:
- Accuracy. Data must be kept up to date, and inaccurate data will need to be corrected or erased without delay.
- Data minimisation. In other words, employers will only be able to hold data which is necessary for the purpose that is being processed. This means that retention periods should be set to a minimum.
- Purpose limitation. The reason why the data is being processed must be specific, explicit and of course a legitimate purpose in the first place.
- Transparency. There will be greater need for employers to explain their actions and decision making.
- Clarity. Employers must make sure that the information they provide to employees is both concise and written in plain, easily understood language.
There are undoubtedly tensions between some of these principles and other business interests. For example, the obligations to keep data up to date and only process data which is necessary would suggest that once an employee leaves the organisation, much, if not all, of the data held about them should be deleted. However, your business must also be mindful of its other legal duties such as keeping records for tax and immigration purposes. Further, the business will undoubtedly want to keep information about former employees, at least in the short term, to help in the defence of any employment claims which the former employee may bring. Redundancy selection information about successful candidates may well need to be retained to defend claims brought by those who were, in fact, made redundant. In other words, the reasoning will not always relate to the individual who is the subject of the data. The upshot is that each type of information should be considered and your business should set a destruction period for each type based on objective reasoning.
In the employment context, we tend to think of simply subject access requests, i.e. the employee’s right to request details of the information which their employer holds about them. However, under the GDPR, employees will have new rights: the right to have some of their information transferred to, for example, a future employer; the right of erasure (dubbed the “right to be forgotten” by the press); the right of restriction (which in effect puts information in limbo and prevents further processing while a dispute between the employer and the employee is resolved); and the right to object to the processing of their data and to object to profiling (i.e. analysis or prediction of performance at work via automated methods).
Currently an employer can require an employee to pay a £10 fee when submitting a subject access request. That option will no longer be available under the Regulation. Subject access requests have long been part of the litigator’s arsenal as a means of obtaining documents at an earlier stage than disclosure. Particularly in the context of large-scale claims such as equal pay, subject access requests may become all the more disruptive for employers. One can easily imagine a trade union submitting subject access requests on behalf of all its members involved in an equal pay claim where there is no fee to pay. The further bad news is that employers will no longer be able to provide a summary of the data held but will have to provide copies, and the normal time frame for responding will be one month, shortened from the current 40 days. Many may consider that the final nail in the coffin of subject access headaches is that employers are encouraged to provide the information electronically and this is the default position if the request is made electronically (e.g. by email, as is quite likely).
Data protection officers (DPOs)
Depending on the nature of the core activities business, some employers will need to appoint data protection officers, who will benefit from further rights and in respect of whom employers will have new obligations.
A data breach is a breach of security which results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to personal data. Fundamentally, there is no concept of severity, so simply sending an email with all the recipients’ email addresses in the “To” field rather than the “Bcc” field so everyone can see each other’s email addresses is a data breach. There are common examples of employees losing their laptops or their phones which, unless they are sufficiently encrypted to render the data inaccessible or unintelligible to anyone who finds the devices, are likely to be data breaches. There will also be a duty to report most data breaches to the Information Commissioner within a newly established time period of 72 hours of becoming aware of the breach and a new duty to report some breaches to the employees themselves.
The GDPR: An 11-point action plan for HR teams
The impending changes to privacy law will impact a range of business functions, requiring significant investment from HR professionals in particular. Combined, the following points of action provide a comprehensive checklist, guiding HR teams through the preparation process.
Establish who will be responsible for data protection compliance – particularly important within SMEs which don’t have a DPO.
Consent or other reason?
Assess whether the business wishes to take the significant risk of relying on consent for processing data or identify the legitimate interests of the employer which will be relied upon to process each type of data held about the employees.
Transfers outside of the EEA
In the context of any transfer of data outside of the EEA, again assess whether the business wishes to take the risk of relying on consent or, in the case of US organisations, the lower risk of relying on the Privacy Shield certification or whether to put in place binding corporate rules or intra-group Standard Contractual Clauses.
Rewrite internal information notices/data protection policies to include all the required new information (such as the reason relied on the processing, details of any transfers of data and the reasons for them, how such data will be protected once it’s transferred from the employer, how long information is kept, and an explanation of all of the individual rights set out above along with the right to complain to the DPO).
Work with IT to ensure that appropriate encryption technology is deployed on all company devices given out to employees.
Provide training to managers both about the employees’ new individual rights and about the new security obligations so they know that when one of their team loses their phone it’s not simply a matter of calling IT to remotely disconnect it and order a replacement device.
Provide training to employees on how to handle the personal data that they will have access to during their employment.
Data breach policy
Draw up a procedure for handling and reporting data breaches within the time frames required and for establishing who needs to be informed.
Update (or draft) retention and destruction policies.
Subject access policy
Update policies regarding subject access requests and ensure you have a procedure in place for responding in a timely manner.
Particularly when purchasing new HR software, consider the structure of the HR databases to ensure that they allow the employer to access the data to comply with the individual rights of access, restriction, objection and portability.
Automated decision making
If you use profiling, i.e. automated decision making, put in place a procedure for dealing with objections.
And remember, the ethos of the GDPR is not only about implementing controls, it is as much about measuring the effectiveness of those controls. Compliance alone will not be sufficient; employers will need to be able to demonstrate their compliance. Privacy by design is the buzz word and data protection authorities now expect organisations to ensure that privacy compliance activities are included in the business planning process.