In May 2018, the General Data Protection Regulation (GDPR) will overhaul the 20 year-old Data Protection Act 1998 (DPA). The new law will require all employers to look afresh at how they store and manage employee data, particularly sensitive personal data such as information on employees' health, absences and trade union membership.
It is important that HR professionals understand their obligations under the GDPR and are engaged in their organisation's compliance strategies. This article looks at some of the main impacts on employers and HR departments, commenting on some of the key areas in which data protection compliance interacts with HR.
How will you ensure you are processing employee data lawfully and fairly?
HR departments will play a crucial role in ensuring that employee data is processed lawfully, and appropriate information is given to employees about the use of their data. The GDPR will require a significant shift in how organisations deal with this aspect of data protection compliance. In particular, it will require a move away from relying on employment contracts towards comprehensive and clearly drafted privacy notices.
Can you continue to rely on consents in employment contracts?
Under both the existing DPA and the GDPR, personal data can only be processed if one of a number of conditions is met. One of those conditions is consent and, at present, employers often rely on consents in employment contracts as meaning the conditions for processing data are met.
This has never been an ideal approach as there has always been a question mark over whether such consent can be freely given. However, under the GDPR, consent will almost never be the best route of ensuring data on employees is processed lawfully. Under the GDPR, consent can only be relied on for processing if it is freely given, specific, informed and unambiguous. Given that an employee has no choice but to enter into an employment contract if he/she wants a job, it is unlikely that this condition can be satisfied in an employment contract.
There are a number of other conditions for lawful processing that can be relied on and HR departments should ensure they know which is most appropriate for their organisation. Potential conditions are: (1) that processing of the data is for the purposes of legitimate interests pursued by the employer; or (2) that it is necessary for the performance of a contract that the employee is a party to (ie the employment contract).
So what do we do about employment contracts that currently contain data protection consents?
It would be advisable to inform employees that the sections of their contracts dealing with data protection consents no longer apply. However, for some organisations, it may still be appropriate to cover some data protection issues in employment contracts. That could be the case for employees whose roles are focused on the processing of customer data where employers may want those employees to have some contractual obligations to process data lawfully and in line with their policies.
In any event, HR professionals will need to amend template contracts for new employees to remove consent clauses that are unlikely to be the best route to compliance under the GDPR. Potentially the new versions of such contracts could refer employees to an organisation's data privacy notice (see below) or even append that notice to the contract.
If we can't rely on consent, how do we ensure we process information lawfully and fairly?
Instead of relying on consent, employers will need to ensure that they have a comprehensive, concise and transparent privacy notice that advises employees as to how and why their data will be processed.
Under the DPA there is already a requirement to provide such a privacy notice, sometimes referred to as 'fair processing information', to employees. However, under the GDPR the information to be provided to employees about the processing of their data is far more extensive than that required under the DPA. The notice needs to set out the specific legal condition relied on for fair processing, where data is obtained from and who it may be provided to, information on how long data will be stored for and information on a data subject's wider rights under the GDPR including in relation to subject access requests and the right to complain to a regulator (in the UK this is the Information Commissioner's Office).
Employers will therefore need to carefully audit the data they hold and the use of such data in order to prepare suitable privacy notices. Once a suitable notice has been drafted, employers will need to update the existing information on use of data, which may currently be set out in a staff handbook, a data protection policy or on a staff intranet page.
Those organisations who have in the past relied solely on a consent in an employment contract will need to make a decision as to the best way of drawing a privacy notice to employees' attention. For new joiners that could involve including the privacy notice in an induction process (or even better with an offer of employment). However, HR professionals will need to develop a clear communication plan for existing employees to make sure they can evidence that adequate information has been provided prior to the introduction of the GDPR.
What about job applicants?
HR departments will not only hold information on existing and former employees but also applicants for employment. They will need to ensure that personal data on applicants is processed fairly and lawfully in the same way as for employees and will therefore need to do a similar task of auditing use of data and preparing a suitable privacy statement to be sent to job applicants to advise them of how and why information will be processed. Depending on how candidates apply for roles, that privacy statement may need to be incorporated into an online application system or the organisation may need to work with recruitment agencies to make sure there is a process for providing the information to applicants.
What about subject access requests?
Employers will be familiar with employees using subject access requests to try to obtain documents for use in disciplinary and grievance procedures or as a precursor to an Employment Tribunal claim and may have experience of how time-consuming they can be to process.
Under the GDPR the current set fee of £10 that employers can charge for complying with a subject access request will no longer apply. Additionally, employers will be required to comply "without delay" and within one month rather than within 40 days. This is very likely to lead to an increase in the use of subject access requests.
On the other hand, it looks like in some circumstances it will be possible to agree an extension of up to two months and employers will be able to refuse to comply with requests (or charge a reasonable fee) if they are manifestly unfounded or excessive. The latter may give scope for narrowing down onerous requests and could therefore be welcome.
HR departments should consider implementing processes to ensure they can efficiently deal with any increase in requests.
What other new rights will employees gain?
As data subjects, employees will have new rights to ask for rectification, deletion or freezing of their data (with the latter being a restriction on having their data processed). Circumstances in which these rights apply include where data has been unlawfully processed. There is a risk of employees seeking to use these rights to challenge evidence being used against them in disciplinary processes.
Until these rights have come into effect it is difficult to say how much use employees will try to make of them. However, if an employer has a well drafted privacy notice, that will make it more difficult for employees to argue that data has been processed unlawfully. Getting the privacy notice right could therefore be a defence against attempts to utilise these rights.
What further role will HR play in ensuring compliance?
One of the biggest data protection risks for any organisation will be mistakes made in handling data by employees. Therefore, implementing robust data security procedures and developing training on those procedures will be key elements of any organisation's GDPR compliance strategy. As part of the process of embedding data protection principles in workplace culture, HR will need to work with information security teams to ensure that all employees are trained on and understand their obligations under the GDPR.
Learning and development teams will therefore need to be involved in devising training courses and implementation plans well in advance of 25 May 2018, the date on which the GDPR comes into force. HR teams will also need to be involved in the drafting and dissemination of data protection/information security policies.
One of the key requirements of the GDPR is an obligation on a data controller to notify the Information Commissioner (or other regulator where operating elsewhere in Europe) promptly and within 72 hours (if feasible) of any data breaches. This means breaches of security leading to accidental or unlawful destruction, loss, alteration or unauthorised disclosure of personal data.
Employees will need to be aware of the notification requirements and to understand that intentional or grossly negligent breaches are likely to be treated as disciplinary offences. It may also be appropriate for employers to embed 'fair culture' practices so that employees know that, if they report a minor or innocent breach, the focus will be on resolving the issue and preventing reoccurrence rather than on blame. That may encourage employees to report breaches.
What if we need a Data Protection Officer?
Public bodies and employers whose activities involve large scale or systematic monitoring of sensitive personal data (such as health information) will be required to appoint a Data Protection Officer (DPO). This is an independent role with a focus on advising data controllers and monitoring compliance with the GDPR.
Whilst most employers will not need to appoint DPOs, those that do may face some HR challenges. These may arise if they already have employees working in a similarly titled role. This might mean needing to consult on changes to that person's job role to encompass the DPO responsibilities or on changing their title if that person cannot be the DPO. Because of the requirement for the DPO to be independent, he/she cannot be involved in the actual processing of data so this issue may well arise.
Why is compliance important?
At present, organisations can be fined up to £500,000 for a serious breach of the DPA. However, under the GDPR maximum penalties for breaches of its requirements are EUR20 million of 4% of an undertaking's worldwide annual turnover if higher. The potentially severe penalties for breaches of the GDPR mean that data protection compliance should now be seen as a key compliance issue for all employers.
Organisations will need a joined-up approach to compliance with the GDPR and HR departments will have a key role to play, not just in ensuring employee data is processed lawfully and fairly but in embedding data protection culture across an organisation. If HR, information security, compliance and legal teams can work together in devising procedures and training programmes then an organisation will be in a much stronger position when it comes to complying with its data protection obligations.