Blog

human resources news data protection

Human Resources News – General Data Protection Regulations (GPDR)

June 8, 2017

human resources news 2This human resources news may be as dry as dust but what has this to do with me I hear you ask. Well irrespective of Brexit or the General Election the government has confirmed this EU legislation will be with us from May 25th, 2018.

The Information Commissioner’s Office (“ICO”) has issued some useful general guidance on the GDPR which can be found on their website.

A lot of the GDPR is already enshrined in the Data Protection Act 1998 (“DPA 1998”), so if employers comply with that then they should be in a good position to comply with the GDPR.

However, there are some new requirements in the GDPR which will need consideration which are explained in this issue of human resources news. Some key points and practical steps to take are set out below:

Subject access requests

The rules around subject access requests will be changing and that’s the human resources news!

Once the GDPR is in force, employers will have only one month from the date of receipt of a subject access request to comply (as opposed to the current 40 days). There can be an extension for a further two months if necessary, if the request is complex. Employers will also no longer be able to charge a £10 fee (unless the request is excessive, in which case a proportionate fee can be charged).

Employers will only be able to refuse “manifestly unfounded or excessive requests”, and will need to have policies and procedures in place to set the criteria for refusal. When a refusal is made, employers will then need to be able to demonstrate why the request met that criteria.

This change means that organisations will have less time to consider and deal with a subject access request. Subject access requests are generally quite complex and time-consuming to deal with as many requests can be vague or require extensive searches to be undertaken across the organisation. Under the GDPR, there will be even more pressure put on employers to comply within a short timescale and for most, this will not be a welcome change.

Increased penalties

Significant penalties can be imposed on employers that breach the GDPR, including fines of up to €20 million or 4% of annual worldwide turnover, whichever is higher. This will certainly make some sit up in their chairs and think about data protection!

So, here the human resources news is that the level of fine will depend on the type of breach and any mitigating factors, but they are a significant increase as compared to previous fines under the DPA 1998 (in the UK the maximum fine is £500,000).

Consent

Under the DPA 1998, there must be legal grounds for justifying the processing of personal data. For many employers, and often for organisations providing services as well, the most utilised legal ground is obtaining consent. The usual practice is for employment contracts to contain a general clause which specifies that an employee is consenting to their personal data being processed.

Under the GDPR, individuals’ rights will be modified depending on the legal basis for processing their personal data. In addition, the GDPR is much more prescriptive about requirements for obtaining consent, and specifies that it must be made clear that individuals (including employees) can withdraw their consent at any time. The GDPR says that consent must be freely given, specific, informed and unambiguous. Where the legal ground for processing is consent, individuals will have stronger rights regarding their data (such as the ‘right to be forgotten’).

The consensus is that initially employers should be thinking about conducting a data audit to set out where and why they process any employee data. This is quite hard given the complexity and nuances of dealing with employee data!

Employers will then need to see what legal ground they need to be able to process such data. In very general terms, the legal grounds for processing data under the GDPR will be as follows:

  • Consent of the data subject.
  • Processing is necessary for the performance of a contract with the data subject or to take steps to enter a contract.
  • Processing is necessary for compliance with a legal obligation.
  • Processing is necessary to protect the vital interests of a data subject or another person.
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  • Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.

It is possible that a solution will be for employers to get employees to sign a more detailed and separate consent form, rather than making it part of the employment contract.

The human resources news is that in reality very few employees are going to object to their employer processing their data. However, employees will need to be informed about their right to be able to revoke consent at any time, which is why a separate consent form may be useful. This will also be evidence of the consent having been given.

The above said, the GDPR says that consent will not be freely given where there is an imbalance in the relationship and this is likely to be the case in an employer-employee relationship.

Therefore, given the increased complexity around obtaining consent, it may be very wise to consider if there are other grounds that can legitimately be used to justify processing employee data and to utilise those wherever you can.

The ICO has indicated that the “legitimate interests” ground is likely to be the most relevant for employers. If there are other legitimate grounds, then employers will not need to seek consent.

The latest human resources news is that the ICO has issued draft guidance about consent under the GDPR – again on the website

Data breach notification

The GDPR imposes a new mandatory data breach reporting requirement. Where there has been a breach (for example, an accidental loss of data, or hacking of computer systems with data revealed on the internet), an employer must to notify the ICO about this within 72 hours. If that timescale is not met, there will need to be justification as to why the breach was not reported within that timeframe. Where the breach poses a high risk to the rights and freedoms of the individuals, those individuals will also all have to be notified.

There have been some infamous data breaches over the past few years, including the recent NHS data breach. Prevention is better than cure, so employers should be reviewing safeguards and putting policies or systems in place so that data breaches do not occur in the first place.

Employers should also have policies and procedures in place (plus training on these) to ensure data protection breaches are recognised, reported to the right person (who can make decisions on whether to report to the ICO), and are reported quickly.

Privacy notices

human resources news privacyUnder the current law, employers are required to provide employees and job applicants with a privacy notice which covers things such as information on how you use their information. Under the GDPR, employers will need to provide more detailed information in privacy notices, such as:

  • how long data will be stored for;
  • if data will be transferred to other countries;
  • information on the right to make a subject access request; and
  • information on the right to have personal data deleted or rectified in certain instances.

Data protection officers

All public authorities, and those private companies involved in regular monitoring or large-scale processing of sensitive data (for example, health data), will need to appoint a data protection officer to carry out activities related to the GDPR and monitor compliance.

Conclusion to this Human Resources News

I hope you have got this far in this edition of human resources news, because It is important to be thinking about the GDPR now given that it will be in place in a year’s time.

The first step is to audit what data you process and why you need to process it. This will then help you determine what the next steps to take to ensure compliance are.

Data protection is going to be an increasingly important issue, so it is worth investing effort and some resources into such matters, especially with the threat of increased penalties for non-compliance.

Please talk to me for more help and guidance in this area or any other HR area by following this link >>>



Back to blog list

Tags

Share this Story



  • Ian Cooley

    Your latest Human Resources News relating to GDPR is generally useful, although I have to highlight that your views around a couple of issues, in particular consent, are at odds with both the GDPR and indeed the current ICO Guidance. We provide advice to HR providers and organisations on compliance with GDPR and Data Protection so have found that there are recurring themes being raised.

    Consent

    For processing to be lawful under GDPR you need to identify (and document) your lawful basis for the processing. However there are six lawful bases listed in Article 6(1), and consent is just one of them.

    Whilst you list them as bullet points, you have consent as the first when in fact it should be considered as the last of the six when none of the preceding five are applicable. This is because, to quote the ICO guidance, “Consent
    is appropriate if you can offer people real choice and control over how you use their data, and want to build their trust and engagement. But if you cannot offer a genuine choice, consent is not appropriate”. In the case of the employer/employee relationship there are legal obligations, eg HMRC requirements, pension contribution records
    etc., for processing personal data in performance of your obligations as specified in the employee’s Contract of Employment.

    In my opinion consent would not normally be required for any processing in relation to the ‘normal’ employer processing of data. This in turn means that the issues of an employee withholding consent or exercising their ‘right
    to be forgotten’ doesn’t arise.

    An employer should however be mindful of the more general principle of only holding data for as long as necessary to meet their obligations eg Display Screen Equipment (DSE) assessments; for which recommended best practice is
    currently 40 years.

    Subject Access Requests

    You say that “Once the GDPR is in force, employers will have only one month from the date of receipt of a subject access request to comply (as opposed to the current 40 days).“

    You are correct that the time period is one month, but that is from a valid request being received. Organisations
    need to take steps to validate a request if the initial request does not provide sufficient information.

    Also there is an expectation of a bow-wave of SAR’s around the time of GDPR coming into force as people better understand their rights around use of their information.

    Increased Fines

    The fines are increasing from a maximum of £500k, but the ICO has not, to date, used the maximum fine of £500k in any enforcement action. The deterrent of a fine should not be the reason for compliance, the best practice use and
    security of personal information should be the main driver.

    In conclusion, GDPR is a complex piece of legislation which has yet to generate case law with the resultant associated changes to guidance and recommended best practice. I would always recommend taking specialist advice on your particular circumstances.

    Finally I would echo your final two paragraphs:

    “The first step is to audit what data you process and why you need to process it. This will then help you determine what the next steps to take to ensure compliance are.

    “Data protection is going to be an increasingly important issue, so it is worth investing effort and some resources into such matters, especially with the threat of increased penalties for non-compliance.”

    Organisation’s will need to prove, from next May, that they are dealing with the personal information they hold in line with the regulation or there will be penalties.

    Ian Cooley

    ARP Data Protection Services
    http://www.audit-and-risk.co.uk