An employer's guide to GDPR
What has GDPR meant for employers? We offer guidance for employers on the key issues.
When it was enacted on 25 May 2018, the General Data Protection Regulation introduced a number of stringent requirements for all companies that deal with EU citizens, in particular employers, who had to ensure that they met the requirements of GDPR when processing employee data. So what has GDPR meant for employers? Below we offer guidance for employers on the key issues.
If you have not already done so, it is vital that you perform a data audit. This is the aspect which will require the most from you as employers. However, once done, it will feed into the majority of the other tasks required to be undertaken to ensure compliance.
In short, all employers should conduct a review of all the personal data/special categories of personal data (sensitive personal data by another name) which you hold/process and look at:
- Why you have it
- Whether you need it
- What you do with that data
- The type of data it is
- Whether there is a lawful processing basis for retaining it under GDPR
- How long you need to keep it
- What measures you have in place for keeping it secure
Under GDPR you are only to process and/or retain personal data if you have a specified lawful basis to do so (usually one of: the performance of the employment contract; to comply with a legal obligation; and/or for the purposes of legitimate interests you pursue). If you do not have a lawful basis, you should not retain it. If you had a lawful basis but that has expired (i.e. you no longer need it), then there are limited circumstances in which you should retain it. By conducting the audit, you will be able to identify not only the data you do not need but, more importantly, what you do need. You are then able to look for a lawful basis upon which you can say it continues to be processed and ensure that it is retained securely.
This process will also help you identify any problem areas and may help you to rectify problems with security, retention or processing. We are happy to advise on any potential problem-areas identified. Should any data breaches occur in the future or should you be subject to scrutiny from the Information Commissioner in relation to compliance, this exercise will be a key corner-stone to you being able to demonstrate to the ICO that you have taken positive steps to comply with the GDPR and to show that you were aware of what you needed to do, and took steps to avert risk-areas.
If you have not already done so, it is vital that you address the above questions as soon as possible.
Data protection basics
It is important that employers remember that GDPR is more evolution than revolution in data compliance. Many of the basics are the same as they were under former data protection legislation. In particular:
- Personal Data – effectively the same as former data protection legislation.
- Sensitive personal Data – now called "special categories of personal data" but effectively the same as former data protection legislation.
- Data retention periods – employers' obligations have remained effectively the same as former data protection legislation.
- Data security – again, effectively the same as former data protection legislation.
There are also some very important changes which apply under GDPR. Importantly though employers need to recognise that GDPR has brought a heightened awareness of data protection rights, has added significantly to powers of the Information Commissioner’s Office to award financial penalties and has increased the potential for employers to face more litigation from employees who believe that their personal data is being mishandled.
Getting the basics right is crucial; be clear what personal data you are collecting and why; tell your employees what you are doing and why; be satisfied that you are entitled to collect that data; treat it with respect – don’t disclose it to third parties unless you need to, keep it secure and don’t keep it longer than you need to. All employers should already be taking these basic compliance steps.
Under GDPR you are required to inform data subjects of what you will do with their data upon receipt or within a month of receipt. You do this through Privacy Notices and there are specific issues that you must address.
Receipt of personal data can occur at any time but our advice to employers is to make sure that you have systems in place to ensure that Privacy Notices (or at least links to them) are sent to data subjects at the times you normally receive personal data. The main two situations for employers are:
- Applicants for employment/engagement; and
- New starting employees.
Applicants will usually complete an application form and provide a CV, both of which are likely to include personal data such as names, addresses, telephone numbers and nationality.
New starters will have to provide you with the same data above as well as other information such as bank account details, National Insurance numbers, Right to Work documentation and often medical information establishing fitness to work.
Both these situations will need Privacy Notices setting out issues such as:
- The identity and contact details of the Data Controller
- The legal basis for processing
- The categories of personal data being processed (if received from a third party)
- Who will receive/have access to the data
- Length of time the data will be stored
- Data subject rights
The audit referred to above will assist the compilation of these notices.
There has been a lot of misinformation produced about the use of consent as a legal basis for employers to process personal data under GDPR.
The important points to note however are:
- Consent remains a legal basis upon which to process personal data, but
- GDPR puts limitations on its use.
GDPR has numerous options available to employers for establishing a legal basis to process the data they have which do not rely on consent and we would suggest a good starting point is to avoid using consent wherever possible (as long as another lawful processing basis can be found).
For example, under the Data Protection Act, employers commonly relied upon consent for the processing of medical data.
Under GDPR however, there is an express legal basis for processing such sensitive personal data for the purpose of considering fitness for work. Consent is not required.
That said, if consent is to be used it will need to be:
- Freely given
- Informed and unambiguous
- Properly separable from an agreement to any other issue
The data subject will also need to be informed of their right to withdraw consent at any time.
GDPR imposed obligations which require employers to both record and report data breaches.
Following the introduction of GDPR, if a personal data breach occurs, which is a high risk to the rights and freedoms of individuals (for example where the personal data is exposed to be potentially accessed by others), an employer must, without undue delay and not later than 72 hours after having become aware of it, notify the ICO.
Reporting is only required when a data breach is a high risk. Where this is the case, the following needs to be set out to the ICO:
- The nature of the breach with details including the numbers of individuals and records concerned
- Contact details for more information
- Likely consequences of the breach
- Measures taken or proposed to address the breach and mitigate the adverse effects.
The employer will also need to inform the individuals affected by the breach and the last 3 of the bullet points above (unless limited exceptions apply).
Whilst non-high risk breaches do not require reporting to the ICO, they will require recording (along with the high-risk ones). The record should also set out the steps taken to mitigate the risk of such breaches occurring again. That log should be stored securely should the ICO wish to inspect it.
To comply with the reporting and recording requirements above, employee education on these issues is key.
For more information, see our article on what to do if a data breach occurs.
Employment contract clauses
Under the GDPR, consent is supposed to be freely given, informed, unambiguous and unbundled from other terms and conditions.
The Information Commissioner’s guidance tells us that:
“Freely given consent will … be very difficult to obtain in the context of a relationship where there is an imbalance of power- particularly for … employers”.
That means one perfectly sensible approach is to decide that such provisions are no longer of any value post-GDPR and to just remove them from the employment contract altogether. It would be good practice to still include something which requires your new employee to adhere to data protection principles or your policy, but as consent in such a document is of such limited value it could be removed.
If consent is to be obtained for any particular piece of processing (such as obtaining an occupational health report or using their photo for marketing purposes), then consent can be freely obtained at that time separately (without their having a risk of adverse sanction) and addressed specifically to the thing you want them to agree to.
However, there is an alternative view which says that there is no down-side to including a provision in the contract which addresses data protection and obtains consent to the (possibly limited extent) that you are able to do so.
Such a clause could:
- Acknowledge that you will hold and process personal data about the employee (including special categories of personal data);
- Identify the purposes for which you might do so, such as the administration, management and operation of employment (including payment of wages and maintenance of attendance, performance and conduct records);
- Spell out the legitimate reasons (other than consent) which you will be relying upon to process the data (usually: performance of the contract; comply with legal obligations; and/or for the purposes of legitimate interests pursued by you);
- Include consent to such processing to the extent the employee is able to do so; and
- Acknowledge that the consent can be withdrawn by notifying you.
Only time will tell whether such provisions become the norm or whether these clauses will disappear altogether, but for now, you are likely to need to at least slightly vary your contractual provisions if you decide not to remove them altogether.
Don’t forget that your new recruit should also be given a privacy notice, as we explored above.
HR record retention
The Information Commissioner says that, under GDPR, organisations (as data controllers) need to document retention schedules for the different categories of personal data. The ICO says that this may be set by internal policies or based on industry guidelines. So under GDPR, you need to have a written statement saying how long you will keep different types of employee data.
So how long is that? Remember that processing data includes simply storing it, so if you don’t have a lawful reason for keeping it, you shouldn’t do so. The plans you have in place to demonstrate GDPR compliance should spell out not just how long you are keeping things for, but why.
Whilst you do need to have a valid lawful reason for retaining documents, overly optimistic statements on data retention/destruction may also cause you problems. We know that the Information Commissioner is unimpressed if organisations do not adhere to what they say about documentation retention, so when setting out what you will do, be realistic and record what will actually happen.
Whilst we have heard of GDPR 'experts' recommending the wholesale destruction of most employee records; we would recommend being more cautious. Documentation is so important when it comes to defending an employment claim, we would always say it is better to keep records for as long as you can, where you may need to do so. This risk will, in most cases, be a legitimate reason to retain records and the limitation periods for claims provides a sensible basis/rationale for record retention.
An employee can bring a claim for breach of contract at any time up to six years after their employment has ceased. Accordingly, the period of six years from the end of employment provides a sensible starting point for record retention. However, strictly speaking, you do need to keep the records a little longer as you will not necessarily be notified of a claim until after the six years has expired. Similarly, the period for which most employee records need to be retained for tax purposes is six years from the end of the relevant tax year, so some variation on six or seven years may be a sensible period – with the period over six years allowing for the possibility of a claim or the end of the tax year.
Retention periods do however need a little bit more consideration for employee records and one size does not fit all. Some other periods to consider are:
- There is probably little need to retain recruitment files for more than six months after appointment. Most claims which can arise must be brought within three months of being informed about the decision (or at least ACAS must be contacted in that period). You should, however, retain the appointee’s records throughout their employment and you might want to consider longer periods of retention if the applicants for one job might be considered for later vacancies (presumably having told them that this might occur);
- It is important to retain some records to ensure that you know when people have worked for you and in which roles, for a far longer period. You may need to provide references long after an employee has ceased to work for you, for example;
- The breach of contract risk won’t justify retaining all records for six (plus) years, so you should prune files and records to remove things which are no longer required. Mortgage application letters or next of kin contact details are two examples of things common to personnel files which do not need to be retained long after someone has left. Ideally, personnel files for current employees should also be pruned regularly so that historical data is removed when it can no longer be required; and
- Health reports and records are special categories of personnel data and therefore retention should be carefully considered and appropriate limits determined. However, some health records need to be retained even longer than other records, such as those relating to asbestos and hazardous substances which need to be kept for 40 years.
When determining and recording how long to keep things it is also worth being sensible about how destruction will occur. For those with slick computerised systems specific destruction periods may be workable, but for those of you taking on the job of destroying physical files, it will be worth recording in your policy that destruction will be undertaken periodically (and possibly defining roughly when that will occur).
What is also important with record retention is the security applied. Whilst advising on GDPR implementation, we have been told some concerning stories about managers with box files open to anyone which contain all sorts of staff personal data and documents. The records you keep must be retained securely and, ideally, centrally. The Information Commissioner will look to all employers to have a policy detailing the periods of retention of employee records/data, but they will be far more concerned about what you have in place if an ex-employee's personal data is accessed and disseminated by one of your staff who did not have a legitimate reason to access it.
GDPR applies to pension schemes too. The practical implications of GDPR depend largely on the type of pension scheme that you offer for your workers.
If you offer a contract based scheme (such as a group personal pension), the onus of GDPR for the scheme will fall largely on the provider. The same is true if you participate in one of the commercial master trust schemes used by many employers to comply with their automatic enrolment obligations. If you have your own trust-based occupational pension scheme, however, there is more work to do. The legal responsibility falls primarily on the scheme trustees.
Key GDPR related action points for scheme trustees include:
- Issue GDPR compliant privacy notices to members. Alternatively, some trustees may prefer to review and update existing notices.
- Review and update other scheme documents such as membership forms and death benefit nomination forms.
- Contact external administrators and other service providers to check what scheme data they hold and the compliance measures they are taking.
- Identify the categories of data held and the legal grounds for processing it. So far as possible, pension schemes will want to rely on grounds other than consent.
- Review and update contracts with service providers to ensure they contain suitable GDPR provisions.
- Put in place a policy for identifying and reporting any breaches to the ICO.
- Prepare a GDPR policy to document processes and to help demonstrate compliance.
As an employer, you have an interest in ensuring that your scheme is GDPR compliant. Compliance breaches may reflect administrative weaknesses in the scheme. They may also damage their reputation in the workplace. Under most schemes, the costs associated with non-compliance (including potential fines) may ultimately be borne by the employer.
Scheme trustees and employers should discuss GDPR and cyber security issues. Working together, especially in matters such as IT support, will help to minimise overall costs.
You may already have made a substantial investment in ensuring that your business is GDPR compliant. If you have not already done so, ask the trustees of your pension scheme to confirm they are GDPR compliant.
Subject Access Requests
Whilst Subject Access Requests (SARs) are not new, GDPR has brought in some changes. Below is a selection of some of the changes and a few things to remember when dealing with them.
Overall, we believe there will likely be an increase in SARs going forward (largely due to the fee issue referred to below) but it is difficult to predict how much at this stage.
- SARs are to be responded to without undue delay and in any event, within one month of receipt of the request (however, this period can be extended by a further two months where it is necessary in consideration of the complexity and number of requests).
- Employers will not be able to charge a fee for Subject Access Requests unless it is “manifestly unfounded or excessive”.
- Employers will have the option of refusing to act upon a request if the requests are found to be manifestly unfounded or excessive (although the burden will be on the Employer to show that this is the case and this is likely to be limited to fairly extreme circumstances).
- Employers are to provide electronic means for SARs to be made and where an employer processes a large quantity of personal information, it is able to request, before responding, that the employee specifies the information for processing activities to which the request relates.
Things to remember:
- An employee’s right to request access to the data held about them is nothing new. GDPR was designed to make it a little easier but also to clarify some of the rules.
- There is no requirement for employees to specifically confirm that they are making a SAR or to send it to a particular person. As such, an employer should educate its employees to recognise when that may be occurring. After all, a month is not a long time to respond.
- The removal of the right to charge a fee will come as an unwelcome change for most employers as it removes a potential deterrent.
- It is worth remembering however that the right is to provide a copy of the personal data is not the same as a requirement to supply specific documents. Albeit, it is often easiest to produce a copy of the document (with redactions to protect the information of other people involved).
- Where there is a large quantity of largely repetitive data, a possible approach could be to summarise the data fairly and in reasonable detail. If such an approach is taken however, it is essential that it is not used to hide information that the employer prefers not to disclose.
- The principle of proportionality underpins Subject Access Requests which means that whilst an employer must make a genuine and extensive effort, it does not have to go so far as to leave no stone unturned. How far this stretches in practice will be a question of fact and degree. The easier it is to access, the more likely it will be found that it should have been provided. Guidance suggests that the measures adopted to comply with a SAR should not exceed the limit of what is appropriate and necessary to achieve the objectives pursued by the legislation. The issue most employers find troubling is the disclosure of emails (which of course can amount to personal data). This will likely remain to be the case. If you are ever concerned, we would always suggest advice be sought.
- Recital 63 of the GDPR confirms that an employee’s right is to access their personal data, exercise that right easily and to be aware of, and verify, the lawfulness of processing. The focus therefore when dealing with a SAR centres around establishing the lawful processing basis of any personal data held. Following an employer’s audit of the data they have and confirmation of the basis for its processing (within its own records as well as its privacy notices), this task should not be too onerous.
Medical records and consent
Health information is "special category data" under the GDPR and the employer needs to show a lawful basis for processing it.
Under the Data Protection Act employers typically relied on consent to process medical information about their employees. Whilst explicit consent is a lawful basis for processing medical records and reports under the GDPR it is generally not appropriate to rely on consent in the employment context. So if consent is not an option, what is?
The most likely lawful reason in this context is that the processing is necessary for the performance of rights and obligations in connection with employment, for example:
- Administering sick pay;
- Providing access to health insurance or permanent health insurance benefits;
- Making reasonable adjustments for disabled employees;
- Considering medical evidence before dismissing an employee on the grounds of capability to ensure a fair dismissal.
Where an employee genuinely volunteers health information it may be appropriate to rely on consent but employers must bear in mind that consent can be withdrawn and if it is and there is no other legal basis to process the data, it should not be retained.
You also need to bear in mind that under the Access to Medical Records Act, consent will still be required to obtain a medical report about an employee. One-off reports from Occupational Health providers, company doctors and specialists may not strictly be covered by the Access to Medical Records Act but it is usual nonetheless to seek specific consent from the employee.
If the employee has not already been given a Privacy Notice this should be done prior to the data being obtained and it is advisable to provide employees with a specific privacy notice for the medical records.
Disciplinary and grievance records
The Information Commissioner says that, under GDPR, organisations (as data controllers) need to document retention schedules for the different categories of personal data. Information concerning disciplinary and grievance issues is no different to other types of data that you may retain about your employees but you do need to give special consideration to how long you will retain the data and what you will use it for and ensure that it is destroyed in accordance with the schedule you have set.
Remember that within disciplinary and grievance matters there will be a wide range of data collected including:
- Statements from witnesses
- Emails and other communications
- Computer records depending on the allegations/complaint
- Notes of the hearing
- Outcome letter
- Appeal paperwork, hearing notes and outcome.
You must ensure that the data is only used for the purposes you have told the employees it is being processed for. Your privacy notice should set this out.
We know that many employers struggle with how long (if at all) to retain expired warnings on file. It is often useful to retain details of expired warnings for a period of time as there are limited circumstances where a spent warning may be taken into account in future disciplinary matters. The Information Commissioner suggests that employers have a clear procedure for how expired disciplinary sanctions are dealt with. If your policies or letter confirming the warning say that spent warnings will be destroyed or removed from the personnel file it is important that you do so. However, ideally your policies, privacy notice and letters should refer to warnings being spent but without detailing that the warnings will always disappear, which enables you to retain spent warnings in case they are relevant without breaching what you have said. As with many data issues, it is sensible to have appropriate limits upon who can access such information.
When employment is terminated, you should keep an accurate record of the reason for dismissal and this should mirror what the employee was told. This may be relevant if the employee brings a claim or requests a reference in the future.
As a minimum disciplinary and grievance records should be kept for at least 6 months following termination of employment to ensure that you have all the relevant paperwork in the event a claim is brought against the organisation. However, there is certainly justification for retaining the records for longer given employees have up to 6 years to bring a breach of contract claim.
What is absolutely critical is to ensure that you have a policy and implement it. We know that the Information Commissioner is unimpressed by organisations that do not do what they say they are going to do. Therefore, however long you decide to retain the records for, you need to ensure that destruction within that period is realistic for your organisation.
As with all employee data, security is of paramount importance. Once a disciplinary or grievance matter has been concluded it is important that the manager dealing with the issue returns or destroys their copy of the paperwork and a single central record is retained to avoid anyone being able to access it who has no legitimate reason to do so.
Under the General Data Protection Regulation, the Regulator can penalise organisations for breaching the GDPR.
So how can you avoid being subject to a fine?
- By ensuring that you have adequate procedures in place for identifying and reporting breaches, as well as all aspects of data protection.
- By having a 'doing all you can' attitude to complying; this, in turn, will be viewed much more favourably than a blatant disregard towards the GDPR obligations.
- Of course, the main aim is to be fully compliant and not make any infringements; to assist you with full compliance, you will need to make sure the groundwork is in place by ensuring that you have the best systems in place to avoid any infringements.
As the potential fines are substantial, it is good practice to ensure you are compliant with the Regulation and don’t get caught out.
If however, you are found to be in breach of the GDPR, then the Regulator can apply one of two levels of fines against you, namely:
- The first is up to €10 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher; or
- The second of up to €20 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher. It is important to note that these figures are the maximum figures. Infringements that could warrant a higher level fine, include, but are not limited to:
- Breaching the basic principle for processing, including conditions for consent, the lawfulness of processing and processing of special categories of personal data;
- For not dealing with the rights of the data subject correctly; and
- Transferring personal data to a recipient in a third country or an international organisation
It is worthy of note that fines for infringements will be considered on a case-by-case basis. Before deciding to impose a fine on you for a potential breach, certain elements will be taken into consideration, for example:
- The nature, gravity and duration of the infringement; taking into account the nature, scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
- The intentional or negligent character of the infringement;
- Any action taken by the controller or processor to mitigate the damage suffered by data subjects;
- The degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them;
- If there have been any relevant previous infringements by the controller or processor;
- The degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement; and
- The categories of personal data affected by the infringement
The value of the fine to be imposed is however not clear-cut. Your behaviour will be taken into account when determining the value of the fine. You may have the opportunity to influence the reduction of any fines by, for example, by promoting a culture of data protection and being able to show the steps you have taken to comply.
One final point to consider separate to these fines and penalties, you should be aware that individuals have the right to claim compensation for any damage they believe has been suffered as a result of breaching the GDPR.
Should you have any questions on any of the above (or GDPR in general) please do not hesitate to speak to your usual contact in the Weightmans employment, pensions and immigration team or contact Ross Hutchison (Ross.Hutchison@weightmans.com). This information is focussed on the GDPR challenges faced by HR and those responsible for people-issues, but if you have wider concerns about GDPR and what it might mean for your business Weightmans are also happy to help.