In response to rapid technological developments and growth in the collection and sharing of personal data, an updated data protection law, known as the General Data Protection Regulation (GDPR), will come into force on 25 May 2018.
What employers need to know to prepare
The GDPR will have a much more significant impact on employers as it introduces new and varied concepts to strengthen the core principles.
Many of the principles in the new legislation are much the same as in existing Data Protection law – for example, the principles of fairness, lawfulness and confidentiality remain at the heart of the GDPR. Core concepts of personal data, data controllers and data processors are also broadly similar. However in future there will be enhanced rights for data subjects, greater data controller transparency, more burdensome standards for consent and significantly increased sanctions for non-compliance.
Enhanced Rights for Data Subjects
The right to be informed: transparency is a key part of GDPR compliance, and employers will have to be more open with their staff about their approach to managing and processing data. At the time data is obtained, the employer must provide the employee with certain prescribed information, which includes:
- the purposes of the processing for which the personal data are intended, as well as the legal basis for the processing
- the recipients of the personal data, if any
- the period for which the personal data will be stored, or criteria used to determine that period
- the right to request access to, rectification or erasure of personal data or restriction of processing from the controller
- the right to object to processing as well as the right to data portability
- whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of possible consequences of failure to provide such data
- whether the personal data will be subject to any automated processing and the significance and the envisaged consequences of such processing for the employee.
To meet these strict requirements, you need to havee detailed, GDPR-compliant privacy policies for staff and include privacy notices whenever you collect personal data.
The right to erasure: This is a right to be forgotten so individuals can require data to be erased when there is a problem with the data processing, where the employee objects to processing and where they withdraw their consent. If data has been made public, controllers are required to notify others who are processing that data with details of the request.
Controllers must respond without undue delay and certainly within one month.
Data Portability: this goes beyond the scope of a subject access request, allowing individuals to access data, and requires the controller to provide information in a structured, commonly used and machine readable form so that it can be easily transferred by the data subject to another data controller.
Data portability is narrower than the right to subject access as it only applies to personal data processed by automated means (ie no paper records), personal data provided by the data subject to the data controller and where the basis for processing is consent, or to fulfil a contract.
This may be particularly relevant to employers when employees leave a company.
The right to rectification: Individuals can require a controller to rectify inaccuracies in personal data held about them.
Consent is one of the conditions allowing the processing of personal data. Data Protection law distinguishes between ordinary consent (for non-sensitive personal data) and explicit consent (for sensitive personal data, such as medical records) and states that consent must be specific, informed, freely given and unambiguous indication of agreement.
The GDPR retains this high standard of consent, and goes further so that implied consents, opt-outs or silence are invalid.
Employers must be able to demonstrate that the data subject gave their consent to the processing. It should be noted that consent obtained pre May 2018 will not be valid from that date unless it is GDPR compliant.
Consent is not the only ground for processing personal data. In an employment situation, processing of employee data is generally necessary for the performance of the employment contract – for example, processing employee data for payroll, or to provide statutory entitlements such as sick pay or maternity pay. The employer also may have to use the data to comply with a legal obligation – for example, where tjey are required to monitor working hours.
Withdrawal of consent: The GDPR states that consent can be withdrawn at any time and it must be as easy to withdraw consent as it is to give it.
If consent is withdrawn and there are no other grounds for processing, you will have to delete the data.
Accountability: Under the current DPA there is a duty to comply with data protection principles. The GDPR goes a step further and requires an employer to demonstrate this compliance.
As a bare minimum, this means that an employer should have in place a data protection policy that demonstrates that the processing of personal data is compliant with the GDPR. An employer should also be able to evidence that it has implemented the policy through, for example, staff training, audits of data processing and so on.
Notification of breach: Whilst the ICO’s guidance recommends that serious data breaches are reported to it, under the DPA there is no obligation to report a data breach to the regulators unless it is a telecoms provider or internet service provider.
However, under the GDPR employers who are aware of a personal data breach must notify the regulator without undue delay and where feasible within 72 hours. This could have a huge impact on day-to-day activities, as we all know how easy it is to lose/have stolen mobile phones and laptops. This also adds further consequences to that e-mail sent to the wrong recipient.
The flipside to this requirement is that employers can use this obligation to their advantage to deter employees who leave to set up a rival business and, in advance of leaving, email personal data about clients to their personal email.
Employers can warn employees that such conduct is strictly prohibited and is in breach of data protection law (it can even be a criminal offence), and also warn them that the employer can report the departing employee who has breached covenants / confidentiality in this way to the ICO, which could result in their prosecution.
There is no notification requirement if the breach is unlikely to result in a risk to employees but records will need to be kept to show that the breach was assessed and why the decision that no notification was required was taken. If notification is required, the employer must explain to the regulator what happened and set out the potential number of individuals affected, the likely consequences and the measures taken or proposed. If the breach is likely to pose a high risk to an employee’s rights and freedoms then they must also be notified.
Employers should therefore consider putting policies and processes in place to ensure that data breaches are responded to and that the GDPR timescales are met.
Subject Access Request (SAR)
These are unlikely to become easier to deal with under the GDPR. The process itself will remain the same but:
- The current fee of £10 will no longer be chargeable. Although, if a request is “manifestly unfounded or excessive” employers will be able to charge ”a reasonable fee” for administrative costs of providing the information.
- The current statutory timeframe of 40 days changes to an obligation to comply “without undue delay” and at the latest within one month of the request, unless the request is particularly complex. This makes compliance more onerous and staff must be adequately trained to deal with SARs within the new timeframe.
Sanctions: An important change to note is increased sanctions for non-compliance. A breach of the GDPR will lead to much more severe penalties than the current DPA, including fines of up to 20,000,000 Euros or 4% of annual worldwide turnover, whichever is the greater. So businesses will no longer be in a position to regard non-compliance with EU data protection law as low risk.
What to do now
1. Review your data protection policies and training methods to ensure these are consistent with the revised principles
2. Ensure you are clear about the grounds for lawful processing relied on by your organisation and check these grounds will still be applicable under the GDPR.
3. Where relying on consent for lawful processing, ensure:
- Consent is active and does not rely on silence, inactivity or pre ticked boxes
- Consent is distinguishable, clear and not bundled with other written agreements
- Data subjects are informed they have the right to withdraw (via the same method as it is given – eg website, e-mail, text)
- Separate consents are obtained for distinct processing
- Consent is not relied on where there is a clear imbalance between data subject and data controller.
4. Ensure staff know how to deal with data breaches, erasure and subject access requests within the necessary timeframe.
5. Identify means to demonstrate compliance, for example, paper trails of decisions relating to data processing.
The GDPR’s provisions, and the obligations which they bring, are extensive. More detailed information can be obtained by contacting our Employment or Data Protection specialists.
The content of this page is a summary of the law in force at the present time and is not exhaustive, nor does it contain definitive advice. Specialist legal advice should be sought in relation to any queries that may arise.