THE GENERAL DATA PROTECTION REGULATION (GDPR)
The General Data Protection Regulation is a significant piece of legislation and will replace the Data Protection Directive that’s contained within the Data Protection Act 1998.
The GDPR applies to processing of personal data by organisations within the EU. Despite the fact, the UK is leaving the EU, the GDPR will still be effective in the UK given its implementation date of 25th May 2018.
|Reference to the “data controller” means you the employer, “data processor” means third parties and “data subject” means the employee in this context of this blog.|
What is the Purpose of the General Data Protection Regulation?
The General Data Protection Regulation places increased obligations on you as an employer to provide your employees with details about the personal data you process about them and additionally to be able to justify this. Personal data means any information that can identify a person and the General Data Protection Regulation also regulates the processing of personal data.
This means as an employer you must consider all data protection risks in connection with your policies & processes, products and services. The audit will include other functions such as IT.
Processing of personal data in respect of your employees will likely include all the information held within their personnel file, hard and soft copies, information that identifies them that you may provide to third parties such as outsourced HR, payroll and benefit programmes. It doesn’t stop there though, there is also CCTV and employee assistance and benefit portals.
The GDPR introduces new rights for data subjects and breaches will be significantly penalised with the maximum fine being €20 million or 4% of total worldwide annual turnover!
As an employer, the General Data Protection Regulation applies to you as a data controller and to data processors (third parties such as outsourced payroll, HR and benefit providers which you may use). You need to be considering the impact the GDPR has on your business now, you cannot leave this until the last minute, 25th May 2018 is not that far away.
Increased Employer Obligations
Under the General Data Protection Regulation employers will have an obligation to ensure that data protection is a key consideration throughout the data lifecycle and embed privacy considerations into operational and strategic HR.
Employers will need to implement technical and organisational measures to show they have considered and integrated data protection into their processing activities.
Compliance is not enough, employers will have to demonstrate compliance.
GDPR – HR Audit
The first step on this long road of preparation is to identify any risks to the business through your HR procedures. Employers should be conducting an HR audit in respect of personal data, here are examples of what this may include:
- Identifying the personal data you process
- Knowing why you gathered employee personal data
- Demonstrating how you received employees consent
- The type of personal data you have
- Identifying who can access it
- Understanding what systems are used to store it and how secure are they
- Electronic data – is it encrypted and password protected
- Knowing what purpose does the personal data serve
- Being able to confirm how employees know their rights in respect of personal data
- Destruction of data and who is responsible
- Confidently being able to identify flows of HR data?
- 3rd parties such as outsourced payroll, HR, benefits, occupational health, pension companies etc
- Reviewing your HR policies and procedures, they will need updating to meet the requirements of GDPR
- Know if the personal data is used internally and externally and if it transferred between countries.
- Understand the measures in place to protect the personal data
The audit should cover the entire lifecycle from recruitment through to termination and beyond where relevant.
There is plenty of time to manage this if you start now, any failings likely to fall short of the General Data Protection Regulation requirements can be rectified before the implementation date of 25th May 2018.
The current principles in the Directive are strengthened and expanded under the General Data Protection Regulation and employers will have to put mechanisms in place to ensure only data necessary for a specific purpose is processed. Here is an overview for you:
Lawfulness, fairness and transparency
In respect of the data subject, data should be processed lawfully, fairly and in a transparent manner
Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
Personal data should be adequate, relevant and limited to what is necessary in relation to the purposes for it is collected. Essentially not gathering more data than is necessary
Personal data must be kept up to date and accurate. Any processed data that becomes inaccurate or out of date must be erased or rectified without delay
Personal, identifiable data should be destroyed the minute is no longer necessary
Integrity and Confidentiality
Data controllers and data processors must ensure the personal data is protected against unlawful or unauthorised access. Security measures should be regularly reviewed. Data should be processed in a manner that includes protection against accidental loss, destruction or damage, using appropriate technical or organisational measures.
The data controller shall be able to demonstrate compliance with the above principles by implementing appropriate measures into the business.
Examples – Appointing a Data Protection Officer (DPO), implementing or updating policies, reviewing of HR policies, training, providing documentation on processing activities, implementing privacy notices, creating a mechanism to report data breaches.
Managing Employee’s and the General Data Protection Regulation
Let’s take a look at some of the changes in respect of managing employees
Legal Basis for Processing
As an employer, you will not be able to rely on contractual consent for processing personal data. If you consider how you manage employees, you are effectively processing data about them everytime you deal with them.
The GDPR requires that consent is freely given, specific, informed and an unambiguous indication of the individual’s wishes and additionally it must be verifiable, so you’ll need a record of how you obtained it. Relying on a clause in the employment contract is unlikely to be valid and as such challenged given the imbalance of power between and employer and employee. Consent must be able to be withdrawn just as it is given.
Employers should seek to move away from consent to be able to effectively manage their employees. Employers can use an alternative legal ground for processing employee data if consent cannot be obtained, specifically:
- Processing can be identified as necessary for the performance of a contract-
Example – holding an employee’s bank details to be able to pay wages.
- Compliance with a legal obligation
Examples – processing data to keep the tax man happy, to demonstrate compliance with statutory employee rights such as holiday, sickness and family friendly leave and pay
- The need to process the data is in the legitimate interests of the business.
This legal basis is not clear cut and places limits onto circumstances which employers can rely on this option. To fulfil this requirement, employers must state their legitimate interests in notices and allow employees the right to object to having their personal data processed. Furthermore, the legitimate interest of the business must not outweigh the rights of your employees, to evidence this, your actions will have to be fair, transparent and accountable.
Examples – performance management of employees including formal HR processes
Information to be Provided by the Employer
The GDPR requires employers to provide job applicants and employees with information in respect of the personal data processed about them, specifically:
- Identity and contact details of the employer (data controller) and where applicable, the controller’s representative
- The data protection officer (DPO) if your business has appointed one
- Purpose of the processing and the legal basis for the processing
- The legitimate interests of the controller or third party, where applicable
- Categories of personal data
- Any recipients of the personal data
- Details of transfers to third country and safeguards
- Retention period or criteria used to determine the retention period
- The existence of each of data subject’s rights
- The right to withdraw consent at any time, where relevant
- The right to lodge a complaint with a supervisory authority
- The source the personal data originates from and whether it came from publicly accessible sources
Additional Rights for Data Subjects
The GDPR will implement changes to current rights and additionally introduce new rights for data subjects, specifically:
- The right to be informed
- The right of access and rectification
Subject access requests are being reduced from 40 days to 1 month and additionally the data controller can no longer charge a £10.00 fee. However, as you would expect, there is movement here, the time can be extended by a further 2 months depending on the complexity of the request and a fee can be charged if the request from the data subject is “manifestly unfounded or excessive”.
- The right to erasure (to be forgotten)
The right to have personal data deleted, however there are reasons that this right can be refused. As an employer, you can refuse to comply with the request where the data is required to exercise or defend a legal claim.
- The right to restriction of processing
- Right to object to processing including automated individual decision making and profiling
- Right to data portability
General Data Protection Regulation Breaches
Currently under the Data Protection Act 1998 the ICO can fine a business up to £500,000. The GDPR increases this to a maximum of €20 million or 4% of turnover, whichever is the highest.
Your internal HR policies and procedures will have to include reference to a breach, within this may be:
- How to detect a data breach
- Reporting it
- Who is responsible for managing it
- Identification of who needs to be notified
The new requirement will be to notify the relevant authority within 72 hours of your business becoming aware of a breach.
General Data Protection Regulation Training
Management and employees will have to be trained in respect of their obligations of the GDPR, providing knowledge to them will reduce the potential of you receiving a significant fine.
An example being that Basildon Borough Council were fined £150,000 this year for a data breach. An employee mistakenly posted some sensitive personal data on the website having not checked beforehand.
Your employees will know their rights more than you will, if they demand to ‘be forgotten’ will you know what to do especially if this is during a formal process such as a disciplinary hearing.
Hopefully this blog has provided you with some information about your upcoming legal obligations in respect of HR and the GDPR.