The General Data Protection Regulation (the GDPR) is due to come into force on 25 May 2018 and will have a significant impact on how businesses manage the personal data of their employees.
The GDPR is the most important change in data protection legislation in the last 20 years, replacing each different EU Member States' laws with a single, unifying data protection law, and it is difficult to overstate its importance. All businesses that use personal data will have to comply with the GDPR or face potential fines of up to €20 million or 4% of total annual worldwide turnover, whichever is greater.
The GDPR is complex and broad ranging in scope. Ensuring your business is GDPR compliant by next May is likely to be a challenging task and may require a significant investment of time and resources. We set out below the key considerations from a HR perspective and the action points you should consider taking without delay.
1. Consent as a Legal Basis for Processing Employee Data
Under current data protection legislation, employers are permitted to collect and use data relating to employees where there is a legal basis for doing so, including where employee consent has been provided. For this reason, many employers choose to have a fairly standard, short clause included within employment contracts in which employees give their “consent” to the employer to store and process their personal data. This way of obtaining consent has been increasingly criticised over recent years on the basis that there is an inherent imbalance of power between employer and employee which can mean that consent is not legitimately given.
The GDPR sets out more detailed and strict conditions for the use of consent and provides that it must be freely given, specific, informed and unambiguous. Consequently, obtaining employee consent within the employment contract in this way is likely to be ineffective under the GDPR.
Employers will therefore need to assess the legal ground(s) on which they process personal data. Where employee consent is relied on, they must ensure that the requirements of the GDPR are met. Alternatively, they may prefer to rely on another legal ground for processing personal data where one exists (for example, because it is necessary to perform the employment contract, to comply with a legal obligation or because it is necessary for the employer’s legitimate interests). Employers should also consider what steps they will need to take in circumstances where employee consent is subsequently withdrawn. These changes are likely to require a review of existing employment terms and conditions to be carried out.
2. Responding to Data Breaches
The GDPR requires mandatory breach reporting. Where a business suffers a data breach it will need to notify the relevant data protection regulator within 72 hours of it becoming aware of the breach. Where the breach relates to HR data (for example, an employee’s personal data is sent to the wrong person), the employer will need to notify the affected employee(s) without undue delay if the breach is likely to result in a high risk to his/her rights and freedoms.
Whilst the GDPR contains some exceptions to these requirements (for example, if the data was encrypted), a swift assessment of the likely risk(s) involved will need to take place whenever a breach is discovered. Businesses should ensure they have robust procedures in place to respond to breaches and employees should be properly trained on them.
3. Information Provided to Employees
Under current legislation, employers are required to provide job applicants and employees with a privacy notice, setting out the purposes for which data is processed and the information needed to ensure the processing is fair. This information is often contained in a data protection policy.
Under the GDPR, employers will need to provide significantly more information (including, for example, how long data will be stored for, if it will be transferred to other countries, information on the right to make a subject access request and information on the right to have personal data deleted or rectified in certain circumstances (see below)). This information will need to be provided in plain language and be concise, transparent and easily accessible.
Employers should review and update current policies, contractual provisions and privacy notices to ensure they comply with these detailed requirements.
4. Subject Access Requests
Under the GDPR, the 40 day deadline in which a business must comply with a request is to be replaced by an obligation to comply “without undue delay and within one month”. Where the request is particularly complex, an extension for compliance of up to two additional months may be agreed.
The £10 fee for processing a request will also be removed and replaced by an ability for employers to request a reasonable fee (taking into account the administrative costs of providing the information) where the request is “manifestly unfounded or excessive”, or to refuse to carry out the request altogether.
Employers will need to review and update policies relating to subject access requests, and provide training to those members of staff dealing with them.
5. Increased Employee Rights, Including the Right to be Forgotten
Under the GDPR, employees will have increased rights to object to certain processing, to have data corrected or to restrict how data is used, and to be forgotten (i.e. to have their personal data deleted).
Under the new “right to be forgotten”, employees will be entitled to require their employer to erase personal data about them in certain circumstances. This may be the case where data is no longer necessary for the purpose for which it was originally collected, or where the employee has withdrawn his/her consent.
Employers should ensure they understand when such requests can be made by employees and have arrangements in place for dealing with them.
6. Stricter Requirements Relating to the Use of Data Processors
Employers often outsource certain HR/payroll functions to third party suppliers, for example, to payroll companies or providers of cloud services. Under data protection legislation, these third parties are known as ‘data processors’.
The rules surrounding the use of data processors will become more stringent under the GDPR. For example, data processors will have a duty to comply with the requirements of the GDPR, with potential liability if they fail to do so. This is a marked change from the current regime under which they have very limited liability for data compliance. There will also be an onus on employers to ensure they work with compliant suppliers.
Businesses must therefore ensure they fully understand the new requirements relating to the use of data processors and should review the current contractual arrangements in place to ensure they are suitable and compliant.
7. Automated Decision Making
Employees have the right not to be subjected to automated decision making. This may apply in relation to, for example, the shortlisting of staff, performance management thresholds or triggers for sickness absence and/or attendance bonuses. Employers should review their use of any automated decision making processes and, where necessary, consider alternative ways for making such decisions.
8. Appointment of Data Protection Officers
Public authorities and private companies involved in regular monitoring or the large scale processing of sensitive personal data will be required to appoint somebody independent as a Data Protection Officer.
Under the GDPR, the onus will be on employers to prove compliance. For this reason, it will be crucial for businesses to be “audit ready”, by ensuring that records of processing activities are well organised and easily accessible, and by having well drafted policies with clear lines of responsibility in place.
As you will note, there are many urgent action points for employers to consider. Those employers who previously regarded non-compliance with data protection legislation as a low-risk issue will be quickly forced to re-evaluate their position and to ensure compliance going forward or face potentially hefty fines.