The General Data Protection Regulations (GDPR) replaces the EU Data Protection Directive and will be directly applicable in EU member states on 25 May 2018. The Data Protection Act 1998 (DPA) will be replaced by a new Data Protection Bill, which is not yet published.
Notable about the GDPR are the tougher penalties than the DPA, with the maximum penalty for non-compliance being EUR20 million or 4% of the turnover of the business (if higher). Currently the maximum under the DPA is £500,000.
As with the DPA, the GDPR provides that data controllers comply with principles for processing personal data. Under the GDPR, all information provided about data processing must be concise, transparent, easily accessible and given in plain language.
Where, under the DPA, employers would often rely upon the consent of an employee to data processing (usually contained within the employment contract), this is no longer advisable under the GDPR.
Why can't you rely on existing consent?
Although consent is a legal basis for processing personal data under the GDPR, there are stricter conditions. Specifically, consent must be freely given, specific, informed and unambiguous. Consent given under the provisions of an employment contract may not be freely given - it would appear to be a condition of employment, where the individual does not genuinely have a free choice.
The other problem with relying upon consent is that the GDPR allows consent to be withdrawn at any time. Furthermore, the employer must advise the employee of this right and it should be no harder to withdraw consent than to give consent. If an employee withdraws consent in relation to employment records this will be problematic if the employer has not notified the employee of any other legal ground for processing such information.
If consent is incorporated into an employment contract, that consent should be provided separately to other provisions and should require a separate signature.
However, generally speaking, employers should be looking to justify the processing of personal data using a different legal basis and using consent for one-off processing events, for example, requesting consent to send information about health to a specialist.
If not consent, how can an employer justify processing employee data?
The GDPR allows processing if the legal basis is that such processing is in their "legitimate interests" (Article 6.1(f)) or if it is necessary for the performance of a contract to which the employee is a party (Article 6.1(b)).
If relying upon "legitimate interests", what those interests are should be clearly explained and employers should note that this justification for processing may be overridden if the fundamental rights and freedoms of the individual require protection of their personal data.
What are an employer's main obligations under the GDPR?
Employer will need to provide more information about the data it processes under the GDPR than previously under the DPA. Such information should include: the source of the data, period of storage (or criteria for determining such a period), the employee's data subject access rights and rights to rectification and erasure, the right to object to processing on certain grounds, the right to withdraw consent (where consent is given), the right to make a complaint to the ICO and the legal basis of any transfer of data outside the EU. More detailed information and justification about processing of sensitive personal information is required to be provided, including how and when such information might be used. For example, information about health may be needed to assess capability for work or to ensure health and safety in the workplace, amongst other things.
The GDPR also requires the employer, as a data controller, to demonstrate actual compliance. This will involve policies and steps to ensure that data protection principles are built into systems and processes. Data collected should be processed so far as it is necessary for the purpose for which it was obtained.
Although not compulsory (unless the business processes sensitive data - such as health information - on a large scale or systematic basis, or if the business is a public body) some employers will appoint a Data Protection Officer (DPO) to monitor GDPR compliance, carry out training and liaise where necessary with the ICO. Where only some health information relating to certain employees is processed, the requirement to have a DPO is unlikely to be triggered.
Are there changes to Data Subject Access Requests (DSARs)?
The process for dealings with DSARs under the GDPR is similar to that under the DPA with the following differences:
The 40 day period for provision of data requested is replaced with the obligation to comply without undue delay and within one month. Depending on the complexity of the request, it may be possible to extend this to an additional two month period.
Employers will no longer be able to request a £10 fee. However, a reasonable fee may be charged where a DSAR is "manifestly unfounded or excessive", to cover administrative costs and to discourage onerous DSARS. What is "manifestly excessive" will depend upon the specific circumstances but the aim is to encourage dialogue and agreement about the scope of the request.
In addition to DSARs under the GDPR, employees may make requests based on their rights to: erasure, rectification, restriction of processing and objection to processing. As with DSARs such requests should not be excessive or a fee may be charged.
10 Action Points
Audit the types of personal data you hold and document this with collection (and source), storage and retention information and information about when data is passed to third parties.
Identify the legal basis under the GDPR on which you will process personal data of employees.
Review your employment contracts . Where consent has been included in contracts, consider options for updating contracts to remove the consents to take effect from 25 May 2018.
Prepare a privacy notice for your employees, workers and contractors or update your current notices to ensure that GDPR issues for your organisation are adequately covered. A further privacy notice should be used for your job applicants.
Appoint a DPO for the business if necessary or if simply helpful to guide the business through GDPR compliance.
Update your data protection policies.
Train staff who process data on the GDPR and your policies.
Implement effective processes for the storage and retention of personal data, including emails.
Workers in other jurisdictions? Note that requirements may be different in member states so different privacy notices for different jurisdictions may be required.
Notify staff about contract variations, e.g. if you are no longer relying upon the contractual consent, notify employees of this and the date on which this change takes effect.
Do you need help with a Privacy Notice for employees, workers and/or contractors?
We would be happy to assist with tailoring a privacy notice to the needs of your business. Please contact a member of the Employment Team or call 020 7404 0606
Organisations are “sleepwalking towards a GDPR abyss”, a new report has warned, with 60 per cent of companies saying they are unprepared for the EU’s General Data Protection Regulation with less than four months until their implementation.