The General Data Protection Regulation (GDPR) will come into effect in the UK in May 2018 and will cause fundamental changes to the UK's data protection law. Brexit will not affect these changes. This guide explains what employers need to do to prepare for and comply with the GDPR.
The previous maximum fine of 500,000 will be replaced. Minor infringements, such as record keeping failures, could attract fines of up to 10 million or 2% of gross annual turnover, whichever is higher. More serious infringements, such as a breach of the principles of GDPR, could result in a fine of up to 20 million or 4% of gross annual turnover, whichever is higher. In addition to the employer fines, employees (as data subjects) also have the right to claim compensation for any damage suffered as a breach of GDPR.
How do you currently use personal data?
To comply with the GDPR you need to understand how you use personal data. This includes identifying what data is held, where it is held, for how long and the reasons for holding the data. You should also identify if the data is transferred to group companies or third parties, particularly if this data will be transferred outside of the EU.
Can you rely on employee consent to process data?
GDPR requires employers to have a legal basis for processing personal data of employees. Employee consent alone may no longer be sufficient. GDPR states that to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and controller. Providing consent as part of the recruitment process, may be challenged on the basis that it is not `freely given' due to the imbalance of power between the parties.
Alternative basis for processing
As well as requesting consent, employers may wish to use additional methods to justify processing of employees' personal data, for example by demonstrating that processing is `necessary' for one of the following purposes:
1. the performance of the employment contract, eg to pay the employee;
2. the legitimate interests of the employer, eg for administrative purposes; or
3. to comply with a legal obligation.
Employers will be able to justify the processing of most employee data, in line with the employer's various duties (to pay the employee according to hours worked, to ensure a safe working environment, etc.). Even the processing of sensitive personal data (such as sickness records) can be shown to be necessary to carry out the employer's duty of care towards the employee. However, employers should consider what types of data they hold and who has access to the data to ensure they do not go beyond what is necessary to comply with their obligations. This should include deleting data periodically to ensure that they are not holding data for longer than required.
Employers must inform employees (and job applicants) how their personal data will be used. This can be done through a more detailed version of the privacy notices/ fair processing notices that employers will already use.
GDPR lists information that should be provided to data subjects when their personal data is collected, for example, the purpose and legal basis of processing and whether the personal data will be transferred to any third parties such as HMRC or pension schemes.
If you wish to process personal data for a purpose other than what it was originally collected for then the employee must be informed of this new purpose. You should ensure that privacy notices are kept up-to-date, are clear, easily accessible and free of charge.
Extended Rights of Employees
GPDR will extend existing rights of data subjects and also introduces some new rights. We have summarised these below.
The right of access
This area closely resembles the Data Subject Access Request (SAR) obligations under the Data Protection Act 1998. The key change is to the timescales to respond to SARs. Employers currently have 40 days to respond; from 25 May 2018 information must be provided `without delay' and at the most within one month. Depending on the complexity and number of requests this period can be extended by a further two months.
Information must be provided free of charge, unless the request is repetitive or unfounded. The current 10 fee will no longer apply.
The right to rectification
Individuals will have the right to have inaccurate or incomplete personal data rectified.
The right to erasure
Data subjects will also have the right to have data deleted in certain circumstances, for example, where consent is withdrawn. Employers will also have to ensure that any other organisation with whom they shared that data also deletes it.
The right to restrict processing
Individuals will still have the right to prevent further processing of data. Existing data may continue to be stored, but cannot be further processed.
The right to data portability
This new right allows individuals to acquire personal data that they have provided to the employer in a structured, commonly used and machine readable form, free of charge. This aims to enable the safe and secure transportation of data into a new IT environment.
The right to object
Individuals will have the right to object to processing in a number of circumstances, for example where the processing is based on legitimate interest or for direct marketing purposes. If an objection is raised the employer must stop the processing unless it can demonstrate compelling legitimate grounds for the processing which override the interest, rights and freedoms of the individual or can show that processing is necessary in connection with legal proceedings.
The extension of employee rights will require employers to have structures in place whereby personal data can be easily accessed and provided on request, with a clear understanding of the justification for processing and, if necessary, why the employer continues to hold personal data.
Employers should consider privacy from the outset of projects (privacy by design and default) and in any event before processing personal data. It will no longer be acceptable to consider compliance with data protection laws retrospectively. Data controllers must be able to demonstrate how compliance is being achieved on a constant basis.
Data Protection Officers
You should consider whether your organisation is required to appoint a data protection officer. This will be mandatory for all public sector organisations. Private sector organisations will also need to do this if certain criteria are met. are met.
Data Protection Impact Assessments (DPIA'S)
GDPR contains extensive provisions relating to DPIAs. In certain circumstances DPIAs will become mandatory under GDPR, for example where the employer is using new technologies or where the processing is likely to result in a high risk to the rights and freedoms of individuals.
GDPR will introduce new reporting requirements in the event of a data breach. Employers will need to report a personal data breach to the Information Commissioner within 72 hours of becoming aware of it. The short timescale for reporting means employers should have a response plan in place for such an occurrence, to ensure that the breach could be identified, reviewed and reported in time.
Employers often outsource the processing of personal data to third parties or pass personal data to third parties for the purposes of receiving services (eg cloud hosting services sharing with group companies).
Where an outsourcing contract involves the processing of personal data, mandatory processing provisions must be included in the agreement.
The employer must satisfy certain requirements If data is transferred outside the EU. Eg obtain the explicit consent of the data subject, or enter into the EU standard contractual clauses for the transfer of personal data outside of the EU.
Businesses should review current contractual arrangements to ensure that these comply with GDPR.
Things to do now
Gather information about all of the employee data that you hold:
- What data do you hold?
- For how long?
- Where do you hold data?
- To whom do you transfer data?
- Why do you hold the data?
- Is it transferred outside of the EU?
Think about your current practices and contracts:
- What is the legal basis on which you process personal data? Do you rely on consent? Is this consent likely to be valid under GDPR?
- For each category of data held, consider and document your legal basis for processing, eg, demonstrating legitimate interest.
- Do your current privacy notices, data protection policies and third party contracts which involve the processing of personal data comply with the GDPR or do they need to be updated?
Things to do before 25 May 2018
- Implement a data breach notification policy. You will have 72 hours to notify the Information Commissioner's Office if you become aware of a personal data breach.
- Appoint a Data Protection Officer if required and consider what resources they will need.
- Update any contracts, policies and insurance policies to comply with the GDPR (including employment contracts and/or standalone GDPR processing consents).
- Create a GDPR compliant processing register.
- Review your personal data security mechanisms and update these if necessary.
- Develop a retention policy covering access rules and when to delete historic records.
- Provide staff training on GDPR compliance.
25 May 2018 and beyond ongoing compliance
- Introduce data protection impact assessments to ensure that data protection is considered at the beginning of a project and is not merely an afterthought.
- Ensure that your business follows these new practices and complies with the GDPR.
If you have any queries surrounding GDPR, please get in touch with the key contacts below or your usual Shepherd and Wedderburn contact.