What will the General Data Protection Regulation mean for HR?
The GDPR will come into effect on 25 May 2018 and will apply directly in all EU member states (without the need for domestic legislation).
The General Data Protection Regulation (GDPR) will come into effect on 25 May 2018 and will apply directly in all EU member states (without the need for domestic legislation).
In last month’s issue of HR Focus we explained that the new, tougher data protection regime will still ‘bite’ for UK businesses despite Brexit. The Government has confirmed that the GDPR will be implemented in this country as the UK will still be a member of the EU when the legislation comes into effect.
But why should the GDPR land in HR’s in-tray? Surely data protection is the domain of your risk management team or the technical experts who monitor your systems?
Abdicating responsibility for the GDPR would be a risky approach, as the new rules implement changes which will directly impact on the every day work of HR practitioners. Also, importantly, the key concerns for departments handling employee data may be very different than for departments managing your organisation’s interface with client and customers.
We highlight the most important changes that should be on your HR team’s radar.
The GDPR will set a higher standard for consent to process personal data. It will require consent to be ‘freely given, specific, informed, and clearly indicated by a statement of affirmative action’. The new definition includes a requirement that consent is “unambiguous”. If consent is given through a written declaration it must be clearly distinguishable from other matters and easy to understand. This is a more dynamic approach to consent. It becomes organic, ongoing, and requiring active management not simply a one-off tick box approach.
This means that the standard ‘consent to process data’ clause that features in most employment contracts is unlikely to be sufficient after the GDPR comes into force. Also take care if you rely on pre-ticked boxes or other similar ‘opt-out’ approaches to obtaining consent. For consent to be a lawful reason for data processing under the GDPR, the individual must make an informed choice and ‘opt-in’.
As a minimum you will need to think about creating a separate form to obtain consent to data processing. You might also consider obtaining specific consent for specific purposes (for example if you need to use an employee’s data to refer them to occupational health). It is more important than ever to maintain detailed records to demonstrate when and how consent has been provided.
Any separate consent document will also need to outline a mechanism for employees to withdraw their consent, which they will have the right to do at any time. It should be as easy to withdraw consent as to give it, so avoid putting unnecessary hurdles in the way of an employee who wishes to retract permission to process their data.
However, importantly, according to guidance from the Information Commissioner’s Office (ICO), it will be particularly difficult under the GDPR for employers and public authorities to rely on consent as the basis for processing. This is because there is an imbalance of power in the relationship between the individual and the organisation that controls the data, so consent will not be ‘freely given’.
You will need to think about whether it might be easier and more transparent to use an alternative legal justification for processing data. For example, you could argue that it is necessary to process the data to fulfil your obligations under the employment contract. In reality this may be closer to the true situation, as most employers would need to continue processing employee data to some extent even if the employee had not given consent. It is better to choose the lawful basis that best reflects the purpose of the processing rather than merely relying on “consent”.
Public authorities may be able to argue that data processing is necessary to perform a public task or function, while private sector organisations may be able to state they have a genuine and legitimate reason for processing the data. Crucially though you will need to provide employees and applicants with a statement explaining the reason on which you have chosen to rely and exactly why you think it applies.
Getting consent wrong will have serious consequences for an employer including substantial fines and damage to reputation.
If you have any questions about the most appropriate way to approach consent to data processing in your organisation we are happy to advise you.
New data rights for employees
The GDPR extends the rights of the ‘data subject’ (the individual whose data is being processed), enhancing the entitlement to have data corrected and to object or restrict data processing. These rights are not often raised in an employment context.
However, a new ‘right to be forgotten’ rule may be problematic as employees may query why you need to hold ‘historic’ information about them and put pressure on you to delete it. Tensions will inevitably arise between the need to retain thorough employment records and information (for example regarding previous disciplinary issues and working arrangements) and good data protection practice.
Data subject access rights
The data subject access right (which enables your employees and ex-employees to ask to see the information you hold about them) is broadly similar to the right under the existing rules.
However, the current compliance period of 40 days will be replaced with an obligation to comply ‘without undue delay’ and within one month. You may need to consider how your processes can be streamlined to respond quickly and efficiently and within one month.
Be aware though that an extension of two additional months is available if necessary where the request is complex. The collection of data in an employment context can be particularly challenging, as information is often unstructured and spread across different systems. It may be that the normal period of compliance will by default be stretched to three months in an employment context.
However, you will also need to provide additional information to employees requesting access to their data. This includes the envisaged period of storage and information about the data subject’s rights (explained above).
The £10 fee applicable to requests under the Data Protection Act 1998 will be abolished. However, where a request is ‘manifestly unfounded or excessive’ you are entitled to charge a ‘reasonable fee’ to take into account administrative costs. In some circumstances you may refuse to act on the request altogether. Whether a request is ‘manifestly unfounded or excessive’ will depend on the circumstances and may be a difficult judgement call. Hopefully, these changes will discourage very onerous requests.
Reporting a breach
Under the new rules, employers will be required to report a ‘personal data breach’ to the Information Commissioner promptly, and within 72 hours if feasible. If this timeframe is missed you must provide a ‘reasoned justification’ for the delay. There is no requirement to notify if the breach is unlikely to result in a risk to data subjects, e.g. where a lost laptop holds only encrypted data.
The term ‘personal data breach’ covers all kinds of commonly occurring workplace mistakes such as a laptop or file left on a train or an e-mail sent to an incorrect address. It’s important to remind employees that even apparently minor incidents must be reported internally if data has been lost or compromised.
Given the new tight timeframe, it would undoubtedly help to have a clear policy on how to handle a breach, naming a designated point of contact with responsibility to report to the Information Commissioner. Records must be kept of all data breaches and any action taken, even where the obligation to notify the regulator is not triggered. Importantly, if there is a high risk to the data subject (for example the clients or customers named in the lost file) they must also be told.
A tougher penalty regime supports the GDPR and ramps up the risk associated with a data breach. The maximum penalty for non-compliance will be increased to 20 million euros or 4% of worldwide turnover if greater. This is a big step up from the current maximum penalty of £500,000 in the UK. Although this may not necessarily mean higher penalties in practice for most data breaches (as the severity of the breach and any action taken to correct it will always be taken into account) these increased sanctions will undoubtedly lead to a much sharper focus on compliance.
Is there any good news for HR?
It is important to remember, and to communicate to employees, that the tougher data protection rules are a ‘two way street’. To protect your organisation against the greater sanctions of the new regime you will certainly be entitled to ‘toughen up’ how you deal with data breaches perpetrated by your staff. There may be increased scope for your organisation to legitimately use an employee’s data protection obligations as leverage in employment disputes. For example, a departing employee who takes lists of clients and contact details with them now runs the risk of being reported to the Information Commissioner. You may also be justified in taking a harder line in disciplinary action against employees who misuse confidential information about third parties or remove it from your secure systems.
What can you do now?
- Identify your existing data systems and what personal data you process;
- Identify the steps you need to take to be ready for GDPR next year;
- Identify and appoint a data protection officer (if you do not have one already);
- Review your current documentation relating to data protection and consents including contracts, handbooks and policies;
- Identify any “legitimate interests” which you have for processing data;
- Establish a data breach policy and a data retention and storage policy (which includes emails);
- Train staff in GDPR requirements.