Employers have a legitimate interest in the protection of their business and this is a lawful basis for processing data at work. Data processing by an employer must be necessary to achieve a legitimate purpose but not infringe employees’ reasonable expectation of privacy. The data must be processed for specific and legitimate purposes that are proportionate and necessary.
1. The Rights of Employees
1.1 The GDPR provides that in certain circumstances, employees will be afforded an explicit right to have their personal data removed/erased, i.e. the right to be forgotten. The concept of data portability envisages allowing employees to easily move, copy or transfer their personal data from one environment to another. In light of these rights, when reviewing its procedures, employers should review the capability of their systems in terms of how easy it will be for an employee to transfer his/her data to another environment and for an employer to locate and delete data when requested to do so.
1.2 The GDPR extends the information which must be given to employees regarding the processing of their personal data. The current law provides that such information should include the identity of the employer and the purpose for which the data is being processed. The GDPR goes further to require that individuals should also be informed of the details of any transfers of their data outside of the EU, their right to make a subject access request, their right to rectify and/or delete their personal data and how long their data will be stored.
2. Employee Consent
2.1 Consent is often used as a legal basis for the processing of personal data. Where consent is relied upon, the consent must be freely given, specific, informed and unambiguous.
2.2 Employee consent is generally not considered by EU data protection regulators, including the Irish Data Protection Commissioner, to be valid. This is because an employee’s consent is usually not deemed to be “freely given”, in light of the imbalance of power between employee and employer.
2.3 The GDPR reflects this position, and states that in assessing whether consent has been freely given, account shall be taken, for example, of whether the performance of a contract is made conditional on the consent to processing data that is not necessary to perform that contract.
2.4 Furthermore, where consent is given “in the context of a written declaration which also concerns other matters, the request for consent must be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language”.
2.5 The GDPR also provides that data subjects have a right to withdraw consent at any time.
2.6 Employers may therefore wish to instead rely on a different basis for processing employee data such as where the processing is necessary for the performance of the contract itself, compliance with obligations under statute or for the purposes of the employer's legitimate interests. Where employee consent is relied upon, it should be obtained by way of a separate document rather than a data protection clause within the employment contract. Employers are advised to keep clear records documenting the consent itself and how it was obtained. Importantly, an employee’s consent may also be withdrawn at any time and employees should be informed of this right
3. Data Protection Officers
3.1 Article 35 requires Data Protection Officers (DPOs) to be appointed by all public authorities, except courts acting in their judicial authority, and by entities involved in regular monitoring or large scale processing of sensitive data.
3.2 The Data Protection Officer’s role is conceived to enable controllers and processors to meet their data protection compliance obligations under the GDPR and thereby protect data subjects' fundamental rights and freedoms.
3.3 Article 39(1) states that the Data Protection Officer shall have at least the following tasks:
- To inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions.
- To monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits.
- To provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35.
- To cooperate with the supervisory authority.
- To act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.
3.4 Somewhat unusually for a piece of legislation, the GDPR sets out explicitly minimum requirements which candidates for the mandatory DPO role must satisfy in Article 37(5) – “the data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices”.
3.5 The EDPS has recommended that the role of the data protection officer be a full-time position, in particular during any organisation’s start-up phase.
3.6 Article 83(4)(a) makes clear that failure to appoint a data protection officer is subject to the lower level of administrative fine, being up to €10 million or, in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
4. Preparatory Steps for Employers
Preparatory steps ahead of May 2018 might include the following:
- Conducting an audit. Employers should review all personal data held (to include that of employees, clients/customers, suppliers etc.) to ascertain why/how it was obtained, why it continues to be held and for how long, how secure it is and whether it is ever shared with third parties and on what basis, etc.
- Reviewing security procedures and existing policies/procedures or creating new policies/procedures (where required) to ensure compliance. It will be essential to have in place a comprehensive data protection policy. Policies governing CCTV, social media and IT should also be considered.
- Keeping up-to-date as to developments leading up to May 2018. Although its Regulation status means that the GDPR will become directly applicable in Ireland in 2018 (i.e. without the need for implementing legislation), new Irish legislation is expected which will provide further guidance regarding the GDPR. The ODPC has helpfully produced guidance on its website for organisations in relation to the GDPR which employers should take time to review and become familiar with.
- Considering whether there is a need to appoint a DPO and/or a working group, internally or externally, who will be responsible for implementing the GDPR and ensuring compliance. Employers should also spread awareness of the imminence and impact of the GDPR within their businesses.
- Impact Assessments. In certain circumstances, employers may have to carry out impact assessments where projects may pose a high risk to individuals’ data protection rights such as the adoption of new technology or the introduction of CCTV systems. Employers should consider now whether this may be applicable to their business.
- Consent. Employers should consider whether it is still appropriate to rely on employee consent, or whether they should rely on another legal basis for the valid processing of employee data.