The implementation of the General Data Protection Regulation (the GDPR) on 25 May 2018 will see a replacement of the current data protection law set out in the Data Protection Act 1998 and an extension of data protection obligations. Employers process a large amount of data in relation to their employees, not only the information held on personnel files, but also data relating to their use of the computer, access cards and CCTV. With just under a year to go until its implementation, what steps should employers be taking with respect to prepare for the new rules?
Personal data may only be processed where a legal ground is established for doing so. In an employment context this is often the fulfilment of the employment contract or may also be the legitimate interests of the business (where its interests do not prejudice the individual). However in relation to certain types of personal data (“Sensitive Personal Data”) consent is likely to the be the only ground that will apply.
The GDPR sets out stricter conditions with regard to consent. It makes it clear that consent must be freely given, specific, informed and unambiguous. Consent will not be considered freely given if there is no genuine free choice. Since in an employment contract there is a significant imbalance in the bargaining power of the parties, it is unlikely that consent obtained in an employment contract will be considered to be freely given and therefore there are problems with using this ground.
An employee will also have the right to withdraw consent at any time and this right must be clearly notified to the employee. It must be as easy to withdraw consent as to give it. Employers will need to ensure that a process is in place allowing for such consent to be withdrawn.
Automated decision making
A data subject has the right not to be subject to a decision made solely by automated processing if that decision affects them. This applies to profiling by a company and could apply on recruitment or on automated systems, such as automated absence policies. If such an automated system is used then the employer must establish that it can be justified and employers should start considering whether to retain that process.
Information regarding data
More information must be given to employees as to the reasons why their data is being processed. The information must be given to the employee in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
The information which the employer is required to give includes, amongst other details, the source of the data, details of who will receive the data, the period for which the data is to be stored and details of the rights of the employee with regard to the data.
Employee rights in relation to their data
Under the GDPR employees will have more detailed rights in relation to the data being held in respect of them. The GDPR sets out a number of rights which extend the current rights under the existing data protection legislation: the right of erasure (“the right to be forgotten”), rectification, restriction and the right to object to processing as well as a right to data portability. The most difficult one of these for employers is likely to be the right to erasure of personal data without undue delay where certain grounds apply, such as where the employee withdraws consent and there is no other legal ground for the processing.
There are also changes to the data subject access request rights of employees. For example the right to impose a fee (currently £10) has been removed unless a request is manifestly unfounded or excessive, when an employer can impose a “reasonable” fee. In addition, the time frame for providing copies of the documents has been changed from 40 days to a requirement to comply without undue delay and within one month. It may be that the new rights will lead to an increase in data subject requests and therefore employers may want to consider reviewing the information they process in relation to employees.
Data Protection Officer (DPO)
Companies may need to appoint a data protection officer. This is necessary, where the processing is carried out by a public authority or body, or where the core activities of the controller or the processor consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or they process sensitive personal data (including criminal records data) on a large scale. Employers can consider appointing a DPO voluntarily.
Although therefore this may not be necessary for many employers, it is a matter which an employer must consider.
Notification of breaches
Where there is a personal data breach (for example, an employee has lost a laptop containing personal data of employees in the company which is not encrypted), the employer must, without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority. Where it isn’t possible to notify the supervisory authority within 72 hours, the employer must provide the reasons for the delay. In certain circumstances data subjects themselves are also required to be notified of breaches.
Employers need to ensure that they have policies and procedures for dealing with breaches, enabling the correct individuals to be able to determine when such a breach should be notified.
Data processing register
The requirement to maintain a registration with the supervisory authority will fall away under the new regime, but organisations will be required to keep a detailed record of all processing activities that they undertake, including for example a breakdown of all personal data that is processed, the security that is in place in relation to that data, who the data is transferred to and where it is transferred outside the EEA. This record will need to be available to the supervisory authority on request.
Steps to be taken
Whilst there is a year before the introduction of the GDPR there are steps which employers should consider taking already.
- Perform an audit of the personal data held by the Company.
- Compile a data processing register.
- Understand the legal basis for processing the different types of personal data.
- Consider the issue of where consent is unavoidable and how it can be obtained.
- If consent is not appropriate? what are the grounds for processing the data?
- How is this to be recorded?
- Review any automated processing of data.
- Does a DPO need to be appointed?
- Review and amend the Data Protection Policy
- Train staff in the new rules which apply.
- Review any document retention policy
- Review the Data Subject rights policy.
- Given the timeframe for breach reporting, drafting a data breach reporting plan.