You cannot fail to have noticed that the GDPR (General Data Protection Regulation ((EU) 2016/679)) came into force today. The Data Protection Act 2018 received Royal Assent on 23 May and ensures that the standards set out in the (GDPR) have effect in the UK.
The GDPR affects the processing of employment data – but what does this actually mean for employers?
Changes to contracts of employment
Many existing contracts of employment will contain clauses giving consent for employers to process their employees employment data. As a result of the GDPR the conditions for obtaining consent to processing of data are stricter and it may not be possible for employers to rely on explicit consent from the employee and particularly not in the form of a blanket consent in the employment contract. Contractual provisions should now be an acknowledgment of the data processing legislation and the grounds on which employee data will be processed.
Draft Data Privacy Notices and Candidate Privacy notices.
The first data protection principle is that personal data must be processed lawfully, fairly and in a transparent manner. Transparency is an important concept and employers are required to provide additional information to their employees. This should include: the data controllers identity and contact details; details of any data protection officer; the purpose of the processing; the legal justification for the processing; the recipients of the personal data; details regarding any transfer to recipients outside the EU; the period for which the personal data is to be retained and, an explanation as to the rights which employees have in relation to their data. This information should be given to the employee at the time the data is collected (so at the date of employment or soon after). A short form privacy notice should be issued to candidates at the time of the recruitment process.
Amend any Data Protection policies
As mentioned, employers must be transparent and accountable in relation to the processing of their employee’s data. Employers will therefore need to ensure that their Data Protection Policies are updated to reflect the new rights of employees. Other policies, such as the disciplinary and grievance procedure, employee monitoring policy and use of company devices and internet and email use policy may also be affected and need to be amended e.g. tightening up on personal email use at work.
Review the reasons for processing personal data
As consent can no longer to be easily relied upon, employers will need to consider the reason for processing personal data. Data can be processed to comply with a legal obligation, to comply with a contractual obligation or to comply with legitimate interests (balanced against the rights of the employee). Employers will need to consider which condition will apply for whatever data they hold and the information should be provided in the data privacy notice referred to above.
Obtaining consent for specific purposes
There may be situations in which employers do rely on consent as a reason for processing the employee data. However, consent must now be specific and informed, be freely given and unambiguous. In addition, employees must have the right to withdraw consent. Employers therefore need to be clear that any consent mechanism complies with these criteria.
Consider the impact on recruitment
Applicants for roles within the company are also covered by the GDPR. In addition to providing the applicant with a privacy notice employers should also be aware that the GDPR contains a prohibition (with certain exceptions) on automated decision making processes and information must be given to the applicant about any such process which applies.
Establish processes to deal with employee rights in relation to their data
The GDPR gives greater rights to data subjects, including enhancing the existing right to make a data subject access request (DSAR) in relation to their personal data. Employers need to ensure that they have in place the necessary procedures to deal with a DSAR and the other rights available: the right of erasure, rectification and restriction, known in the press as “the right to be forgotten”. Processes and procedures must be adapted to ensure that they can comply with these rights.
Appointing a Data Protection Officer
Not all employers are required to appoint a data protection officer. However, those companies which are involved in regular monitoring or large scale processing must appoint an officer and other companies may decide to appoint one in any event. This data protection officer will have enhanced employment rights when carrying out their duties and employers should be clear on the terms applicable to the DPO.
Processes for responding to a breach
Employers are required to notify the regulator of breaches without undue delay (within 72 hours if possible) and in certain circumstances to notify employees. Again, employers should ensure that processes are in place to respond to a breach.
The Information Commissioners Office will want to see that companies have taken their obligations under the GDPR seriously. As part of this employers must ensure that all staff are provided with training on the GDPR so that they understand the impact on their work and how they themselves retain information on other data subjects.
Many employers will have already taken these steps, but if you need anything further or more detailed information, we would be pleased to come and talk to you about your needs.