Despite Brexit, the UK will implement the General Data Protection Regulation (GDPR) when it comes into force on 25th May 2018. The GDPR harmonises the ‘patchwork quilt’ of 28 different EU Member States’ laws with a single, unifying data protection law. It hugely increases penalties for non-compliance, and takes account of globalisation and the ever-changing technology landscape.
The purpose of the new Regulation is apparently twofold:
- To improve consumer confidence in organisations that hold and process their personal data, by reinforcing their privacy and security rights consistently across the EU; and
- To simplify the free flow of personal data in the EU through a coherent and consistent data protection framework across the member states.
The basic principles behind GDPR are essentially unchanged from those enacted in the UK via the Data Protection Act 1998 (DPA), but there are a number of new rights and obligations which will cause a significant rethink on how data is treated going forward.
It will apply not only to EU organisations, but to any organisation processing the personal data of individuals in the EU in relation to offering goods or services, or to monitoring their behaviour.
Significant penalties can be imposed on organisations that breach the GDPR, including fines of up to €20 million or 4% of annual worldwide turnover, whichever is greater. The current maximum fine that can be imposed by the Information Commissioner’s Office (ICO) is £500,000, so this is a significant increase. The level of fine will depend on the type of breach and any mitigating factors, but they are undoubtedly meant to penalise any disregard for the GDPR. It will also be much easier for individuals to bring private claims, with a right to claim compensation for distress and hurt feelings when no financial loss has been suffered.
The GDPR is much wider in its coverage than just employee issues, but we will focus only on such issues. Employers need to be aware of the following changes:
- Organisations will need to implement “privacy by design and by default” into their processes and procedures. It means building data protection into all data processing activities. Doing so will lead to potential privacy issues being identified at an earlier, and less costly stage, and to an increasing awareness of privacy and data protection related matters throughout the organisation. By default means only personal data which is necessary for each specific purpose of the processing is processed. In particular, such measures need to ensure personal data is not automatically made available to third parties without the individual’s intervention.
- There is an exemption for organisations of fewer than 250 employees, but only in respect of some of the record-keeping requirements for their data-processing activities, unless those data processing activities are high risk or regular.
- It is intended to generate a shift from paper-based compliance to actual demonstrable compliance in practice, known as accountability. You must show not just written policies and processes, but also training and extensive records. Accountability needs to be entrenched in an organisation, requiring them to take a proactive, methodical and answerable approach toward compliance.
- The term “personal sensitive data” is now any personal data under the GDPR which is much broader than before so, for example, a person’s email address will now be classed as personal data.
More Detailed Privacy Notices
These will need to be reviewed, as you will have to give people more information, e.g. your legal basis for processing the data, your data retention periods, if data will be transferred to other countries etc. Employers are required to provide employees and job applicants with a privacy notice setting out certain information such as:
- Information on the right to make a subject access request free of charge (no more £10 administration charges), and the new shorter timescale of 30 days rather than 40 within which to respond.
- The right to have personal data deleted or rectified in certain circumstances.
- Under the new so-called “right to be forgotten”, employees will be entitled to require the employer to erase personal data about them in certain circumstances. This may be the case where the data is no longer necessary for the purpose for which they were originally collected, or where the employee has withdrawn their consent.
Restrictions on Consent
Most employers currently justify processing personal data on the basis of employee consent. This approach has been increasingly criticised because there is doubt as to whether or not consent is given freely in the subordinate employer-employee relationship.
There are more prescriptive requirements for obtaining consent under the GDPR. There will be a new requirement to specifically opt-in, so controllers will no longer be able to rely on generic or ‘bundled’ consent in the way that we have previously advised our clients. This will make it harder for employers to rely on consent to justify processing. Bear in mind that free consent implies that it may be revoked at any time. In most cases, employers will need to move to one of the other legal grounds to continue processing HR-related personal data. This could be the contractual necessity (e.g. for the processing of employee payment data), a legal obligation (e.g. for the processing of employee data in relation to social security) or the legitimate interest of the employer (e.g. in the context of employee monitoring).
New Breach Notification Requirement
The GDPR imposes a new mandatory breach reporting requirement. Where there has been a data breach (such as an accidental or unlawful loss, or disclosure of personal data), the employer will have to notify and provide certain information to the data protection authority within 72 hours. Where the breach poses a high risk to the rights and freedoms of the individuals, those individuals will also have to be notified.
Records not Notification
The current requirement for organisations to complete an annual notification registering their data processing activities with their supervising authority is replaced under the GDPR. Organisations will be required to maintain detailed internal records detailing what data processing they undertake.
Data Protection Officers
All public authorities and those private organisations involved in regular monitoring of large-scale processing of sensitive data will need to appoint a Data Protection Officer to:
- advise on GDPR obligations; and
- implement appropriate mechanisms: and
- monitor compliance by verifying that these measures are in place and being followed; and
- liaise with the Data Protection authority (ICO);
Even if a Data Protection Officer is not strictly required, it will be expected that the organisation has conducted an assessment of their risk to decide that such an appointment is not necessary, and can show the audit trail to prove that they are not large processors of personal data. The GDPR does away with focus on size of workforce, and puts the focus rather on what organisations do with personal information.
How to Prepare Now
All organisations should now be planning their compliance programme to identify how they may be affected, and what they need to do to prepare. While May 2018 still seems a long way off, you may find that in some areas the necessary steps need extensive and time-consuming preparation. Co-operation and understanding of the new GDPR obligations across the business is critical, and employers will need people from different disciplines to take a combined approach.
The most important steps to take in relation to employment include:
- This is a boardroom issue, not a tick-box compliance task. Organisations need to change their mind-set and senior management need to lead by example.
- The Board needs to appoint someone within their organisation to take the lead on assessing how GDPR will affect their organisation across all data processing aspects, not just employment matters.
- Carry out a data audit. Carefully assess current HR data and related processing activities, and identify any gaps and identify high-risk areas with the GDPR.
- Review current privacy notices and consider whether to update them sooner rather than later, to comply with the more detailed information requirements. All information provided must be easy for employees and job applicants to understand.
- Assess the legal grounds for processing personal data. Where consent is currently relied on, check whether or not it meets GDPR requirements and remember that consent may be revoked at any time. Employers will generally need to rely on one of the other legal grounds to continue to process employee personal data.
- Develop a data breach response programme to ensure prompt notification. Allocate responsibility to certain people to investigate and contain a breach, and make a report. Train employees to recognise and address data breaches, and put appropriate policies and procedures in place.
- Determine whether or not a Data Protection Officer must be appointed and, if so, think about how best to recruit, train and resource one; albeit in most cases that will be an existing senior IT or Finance person.
- Conducting a Privacy Impact Assessment (PIA) will be mandatory. Various aspects of HR activity, for example, recruitment and post-employment issues, would require a PIA to be conducted. This allows organisations to see the potential dangers with data processing activities from an early stage, and allows mechanisms to be created to mitigate this risk before it becomes a reality.
- Review your guidance/policy so that it ensures sufficient management control of personal information accessed remotely, or via personal devices (BYOD).
- Implement appropriate training and communication of staff at induction, annually and when changes occur.
- The GDPR is about creating a data privacy culture where people think about how they would want their personal information to be processed.
- Develop a timeline to implement a GDPR compliance program
Maintaining the balance between the protection of the privacy of the workers and the prerogatives of the employer can be tricky. There is likely to be a big increase in numbers of subject access requests, which will be more difficult to manage. Subject access requests will be an even more prevalent feature of litigation/disputes.
The ICO has commented that in many cases, GDPR only enhances rights and requirements that already apply under DPA, but it is working on a set of guidance on GDPR to help clarify where the balance should be.
To help understand the detail further, read the ICO initial guidance on preparing for the GDPR available at the ICO link below.
Then go to the below ICO link, and work your way through the questions designed to help you get ready.
Also on the ICO website, there are checklists that you can go through to self assess your organisational compliance with data processing at the below link:
We will be working on a suitable revised GDPR policy for our clients for 2018, along with some basic tools to help our clients to deal with the employment issues arising from these new regulations, but there is no need to delay reviewing your grounds for processing data, liaising with external data processors and making sure that your personnel files and systems are up to date.
Clients are welcome to raise concerns with their Consultant who will be pleased to advise you on any Employment/HR element of the issues arising from this newsletter.