Newman HR UK employment law advice laptop screen with GDPR EU graphic

GDPR basics

  • One of its aims is to harmonise data protection processing across the EU.
  • It gives employees greater rights as data subjects.
  • There are very significant penalties for breaching the GDPR.
  • Unlike the rules under the  Data Protection Act, the burden of proof is now reversed so that  the responsibility will be on  the employer to provide good reasons for the retention of personal data
  • ‘Pseudonymization’ how to anonymise personal data
  • The employer need to be issuing privacy notices to job applicants.

What is Personal data

  • Identification of an individual will not only be by name, but “an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”. This is intended to be a very broad definition and will include IP addresses and cookie strings.
  • Sensitive personal data is broader and includes data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic and biometric data, data concerning health or data concerning a person’s sex life, sexual orientation or criminal offences.

Rights to obtain and hold personal data on new applicants

  • The six data protection principles which were in the DPA remain, but when processing personal data, the employer must also satisfy one processing condition, and if it’s sensitive personal data at least one sensitive data processing condition.
  • The processing conditions are; consent of the data subject; that it’s necessary for the performance of a contract/to take steps in preparation for the contract; it’s necessary to comply with a legal obligation; it’s necessary for the performance of a task carried out in the public interest or in the exercise of an official authority; it’s necessary for the purposes of legitimate interests an example would be you need the data subject’s bank details in order to process their salary however you must obtain their explicit permission to hold this data and make them aware how it is stored how long you need to hold it for they can at any time ask for it to be deleted

Right of Employees under GDPR

  • The right to be informed, which includes the need for employers to explain how they would use this data.
  • The right of access, including revisions to the subject access request (SAR).
  • The right to rectification of data that is inaccurate or incomplete.
  • The right to ‘be forgotten’ (data deleted) under certain circumstances.
  • The right to block or suppress processing of personal data.
  • The right to data portability which allows employees to obtain and reuse their personal data for their own purposes across different services under certain circumstances.
  • There are requirements for obtaining consent to process data and employees must be able to withdraw their consent at any time, as easily as they have given it.
  • Unlikely to be able to rely on ‘consent’ (on the basis that the power relationship means that consent will never be given in a true way), or even if consent is given it’s unlikely to be deemed as valid, so you will need to rely on your legitimate business interests to process the data.
  • These rights will extend to job applicants and the retention and processing of their cvs.

Personal data you Employers cannot request

  • Employers will only be able to ask for and hold data that’s ‘adequate, relevant and limited to what is necessary’. The data held should be for specific, explicit and legitimate purposes. Be careful of holding any data that could be deemed discriminatory.
  • A new concept in European data protection law – “pseudonymization” – for a process rendering data neither anonymous nor directly identifying. It’s the separation of data from direct identifiers so that linkage to an identity is not possible without additional information that’s held separately.

Storage and security obligations of employee personal data

Employers have an obligation to ensure that appropriate technical and organisational measures are taken to prevent unauthorised or unlawful processing, loss, damage or destruction. You need to get confirmation that any of your contractors who use this data e.g. payroll providers have in place their own procedures and policies to comply with GDPR

  • Employers responsibilities  under the GDPR mean you should provide more detailed information  to employees, including how long their data will be stored for, if the data will be transferred to other countries, information on the right to make a subject access request and information on the right to have personal data deleted or rectified in some circumstances.

Miscellaneous but important

  • New mandatory breach reporting requirement e.g. if there’s an accidental loss or disclosure, the employer will have to report the breach within 72 hours to the ICO failure to do so will result in a fine. Where the breach poses a high risk to the individuals, those individuals will also have to be notified.
  • Subject Access Requests – employers will have a month to comply. You can refuse or charge for requests that are manifestly unfounded or excessive and if you refuse a request then you must tell the individual within 1 month why and that they can complain to the ICO .
  • Accountability principle which requires businesses to demonstrate that they comply with the data protection principles and states explicitly that it is their responsibility to do so.

Data Protection Privacy Impact Assessments

  • Privacy Impact Assessments (PIAs) can help organisations identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy.
  • Employers will be required to carry out PIAs if their proposed activities are likely to result in a high risk to the rights and freedoms of individuals.

We can help by providing policies, procedures and data protection privacy impact assessments and provide guidance on record retention policies and how to handle subject access requests we will generally put you on the road to becoming GDPR compliant for more information……

GDPR will evolve as a result of case law we will keep you updated with the latest developments