The General Data Protection Regulation (GDPR) comes into force on 25 May 2018.
GDPR brings in a number of changes to the way in which organisations deal with personal data and significantly increase the fines that may be levied for cases of non-compliance. We consider a number of key actions that need to be taken in the employment context when handling employee personal data in order to be ready for GDPR.
One of the first key steps is to ensure that you have a good understanding of all of the employee data that is collected, how it is used and how it is shared. It is important to do this for two main reasons: (i) in order to be able to comply with new record keeping requirements under GDPR; and (ii) to ensure that procedures, policies and documentation are updated to comply with the new requirements.
The data mapping exercise might be part of a wider GDPR project undertaken by your organisation. However, if this is not already on-going we recommend that a data mapping exercise for employee data is carried out as soon as possible.
Review of employee privacy notices
GDPR requires a much wider range of information to be provided to job applicants and employees about the way in which their personal data will be handled. It is therefore necessary to review the points at which data is collected in the employment context and to update privacy notices provided to individuals at those points. This will include information gathered from applicants and also information gathered from employees during the course of their employment.
Review of consent mechanisms
Under GDPR the standard to obtain valid consent has been raised. Consent must be specific, freely given, informed and unambiguous. This means that a clear, positive action must be taken by the individual to indicate consent and the individual must be fully informed as to what they are consenting to.
It is difficult in the employment context to obtain valid consent due to the nature of the relationship between the parties. It is therefore recommended that a review is carried out to identify where consent is being relied upon. In most cases it is likely to be possible to rely on a different legal basis to justify processing of employment data. This could be because there is a statutory obligation to process the data, because it is necessary to process the data to fulfil a contractual obligation or it is in the legitimate interest of the employee to process the data and this is not outweighed by the rights of the individuals.
In cases where consent is required because no other legal basis is available then it will be necessary to review the relevant consent mechanisms and ensure they comply with the higher requirements under GDPR. It is important to note that it is not possible to obtain a valid consent under GDPR by embedding it within wider employment terms and conditions. Any such consent will need to be separated out and be distinct from the wider terms and conditions.
Existing rights under the Data Protection Act remain in place, although the timeframes for compliance are reduced to one month and the £10 fee for subject access requests is being abolished. Organisations will therefore need to review their existing procedures to ensure that they will be able to comply with subject access requests within a shorter timeframe.
GDPR also introduces a number of new rights. This includes the right of data erasure, right of data portability and right to object to processing. It will be necessary for employers to consider the ways in which such rights might be exercised by employees and the procedures that will be followed within the business to ensure that those rights are respected.
It will also be important to ensure that procedures are documented as GDPR brings in a new "accountability" requirement, which requires organisations to ensure that they document the measures they are taking to enable compliance with GDPR.
Some organisations will have to appoint a data protection officer (DPO). A DPO must be appointed by public authorities and by private companies if they are carrying out monitoring of individuals on a large scale (for example via CCTV) or if they are processing sensitive personal data on a large scale. Organisations will need to consider whether any of these triggers are met and, if so, a DPO must be appointed.
DPOs have certain protections under the GDPR which means that they cannot be dismissed unless they are failing to fulfil their role as DPO. It is also necessary for the DPO to have a direct reporting line into senior management, to be established as an independent role and not to have any conflict of interest with other activities that may be undertaken by the individual.
We recommend that organisations carry out an assessment of whether they need a DPO and document that assessment as soon as possible. If a DPO does need to be appointed then it will be important to ensure that an individual with the appropriate qualifications and expertise is appointed to comply with GDPR requirements. The nature and structure of the role will also need to be considered to ensure that it meets the independence obligations.
The GDPR brings with it various changes that employers need to put in place by 25 May 2018.