This human resources news may be as dry as dust but what has this to do with me I hear you ask. Well irrespective of Brexit or the General Election the government has confirmed this EU legislation will be with us from May 25th, 2018.
The Information Commissioner’s Office (“ICO”) has issued some useful general guidance on the GDPR which can be found on their website.
A lot of the GDPR is already enshrined in the Data Protection Act 1998 (“DPA 1998”), so if employers comply with that then they should be in a good position to comply with the GDPR.
However, there are some new requirements in the GDPR which will need consideration which are explained in this issue of human resources news. Some key points and practical steps to take are set out below:
Subject access requests
The rules around subject access requests will be changing and that’s the human resources news!
Once the GDPR is in force, employers will have only one month from the date of receipt of a subject access request to comply (as opposed to the current 40 days). There can be an extension for a further two months if necessary, if the request is complex. Employers will also no longer be able to charge a £10 fee (unless the request is excessive, in which case a proportionate fee can be charged).
Employers will only be able to refuse “manifestly unfounded or excessive requests”, and will need to have policies and procedures in place to set the criteria for refusal. When a refusal is made, employers will then need to be able to demonstrate why the request met that criteria.
This change means that organisations will have less time to consider and deal with a subject access request. Subject access requests are generally quite complex and time-consuming to deal with as many requests can be vague or require extensive searches to be undertaken across the organisation. Under the GDPR, there will be even more pressure put on employers to comply within a short timescale and for most, this will not be a welcome change.
Significant penalties can be imposed on employers that breach the GDPR, including fines of up to €20 million or 4% of annual worldwide turnover, whichever is higher. This will certainly make some sit up in their chairs and think about data protection!
So, here the human resources news is that the level of fine will depend on the type of breach and any mitigating factors, but they are a significant increase as compared to previous fines under the DPA 1998 (in the UK the maximum fine is £500,000).
Under the DPA 1998, there must be legal grounds for justifying the processing of personal data. For many employers, and often for organisations providing services as well, the most utilised legal ground is obtaining consent. The usual practice is for employment contracts to contain a general clause which specifies that an employee is consenting to their personal data being processed.
Under the GDPR, individuals’ rights will be modified depending on the legal basis for processing their personal data. In addition, the GDPR is much more prescriptive about requirements for obtaining consent, and specifies that it must be made clear that individuals (including employees) can withdraw their consent at any time. The GDPR says that consent must be freely given, specific, informed and unambiguous. Where the legal ground for processing is consent, individuals will have stronger rights regarding their data (such as the ‘right to be forgotten’).
The consensus is that initially employers should be thinking about conducting a data audit to set out where and why they process any employee data. This is quite hard given the complexity and nuances of dealing with employee data!
Employers will then need to see what legal ground they need to be able to process such data. In very general terms, the legal grounds for processing data under the GDPR will be as follows:
- Consent of the data subject.
- Processing is necessary for the performance of a contract with the data subject or to take steps to enter a contract.
- Processing is necessary for compliance with a legal obligation.
- Processing is necessary to protect the vital interests of a data subject or another person.
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.
It is possible that a solution will be for employers to get employees to sign a more detailed and separate consent form, rather than making it part of the employment contract.
The human resources news is that in reality very few employees are going to object to their employer processing their data. However, employees will need to be informed about their right to be able to revoke consent at any time, which is why a separate consent form may be useful. This will also be evidence of the consent having been given.
The above said, the GDPR says that consent will not be freely given where there is an imbalance in the relationship and this is likely to be the case in an employer-employee relationship.
Therefore, given the increased complexity around obtaining consent, it may be very wise to consider if there are other grounds that can legitimately be used to justify processing employee data and to utilise those wherever you can.
The ICO has indicated that the “legitimate interests” ground is likely to be the most relevant for employers. If there are other legitimate grounds, then employers will not need to seek consent.
The latest human resources news is that the ICO has issued draft guidance about consent under the GDPR – again on the website
Data breach notification
The GDPR imposes a new mandatory data breach reporting requirement. Where there has been a breach (for example, an accidental loss of data, or hacking of computer systems with data revealed on the internet), an employer must to notify the ICO about this within 72 hours. If that timescale is not met, there will need to be justification as to why the breach was not reported within that timeframe. Where the breach poses a high risk to the rights and freedoms of the individuals, those individuals will also all have to be notified.
There have been some infamous data breaches over the past few years, including the recent NHS data breach. Prevention is better than cure, so employers should be reviewing safeguards and putting policies or systems in place so that data breaches do not occur in the first place.
Employers should also have policies and procedures in place (plus training on these) to ensure data protection breaches are recognised, reported to the right person (who can make decisions on whether to report to the ICO), and are reported quickly.
Under the current law, employers are required to provide employees and job applicants with a privacy notice which covers things such as information on how you use their information. Under the GDPR, employers will need to provide more detailed information in privacy notices, such as:
- how long data will be stored for;
- if data will be transferred to other countries;
- information on the right to make a subject access request; and
- information on the right to have personal data deleted or rectified in certain instances.
Data protection officers
All public authorities, and those private companies involved in regular monitoring or large-scale processing of sensitive data (for example, health data), will need to appoint a data protection officer to carry out activities related to the GDPR and monitor compliance.
Conclusion to this Human Resources News
I hope you have got this far in this edition of human resources news, because It is important to be thinking about the GDPR now given that it will be in place in a year’s time.
The first step is to audit what data you process and why you need to process it. This will then help you determine what the next steps to take to ensure compliance are.
Data protection is going to be an increasingly important issue, so it is worth investing effort and some resources into such matters, especially with the threat of increased penalties for non-compliance.
Please talk to me for more help and guidance in this area or any other HR area by following this link >>>