Newsletter 1 of 2 on the General Data Protection Regulations (GDPR)
The mere mention of GDPR can strike fear into the hearts of many business owners and managers. The GDPR is a lengthy piece of legislation and therefore it is not possible to cover all aspects in one newsletter. Therefore, this is the first of two newsletters on GDPR and the next one will be issued next week.
Data storage and management have changed dramatically since the last data protection laws came into force in 1998. In 1998 the internet was still in its infancy and cloud-based services didn’t exist. Much employee data was held in manual files.
The GDPR heralds a significant change in the culture, as well as the processes, of how organisations handle data and there are stiff penalties for falling foul of the law. It’s vital that employers take steps now, if they haven’t already, to ensure they are prepared for the new data protection provisions.
If your business collects and stores data on computers or in organised filing systems, then you’ll be subject to data protection laws, this includes employee personal data. Whether you still rely on a paper-based system of have moved to an online HR system, you have a responsibility to manage that data properly. It includes not only data collected on customers but any data you hold for staff.
What are the GDPR regulations and how will it affect HR.
At the heart of the General Data Protection Regulation (GDPR) is a change in focus from regulating high risk data processing activities to improving data security in more routine matters. The GDPR aims to bring about a culture shift.
Employers will need to review how they collect, hold and process personal data, as well as how they communicate with individuals about that activity.
One of the most significant change as far as employers are concerned is the increased sanctions. Breaches of the GDPR may be subject to fines of up to €20M, or 4% of global annual turnover, whichever is the greater, and staying compliant is likely to lead to additional costs and administration.
The conditions for obtaining valid consent to processing personal data will become much stricter and employers are unlikely to be able to rely on this for processing employees’ data. Blanket wording in an employment contract arguably doesn’t meet current data protection requirements, but it will definitely not meet the GDPR rules and employers should be wary of relying on this in future.
There are also greater transparency obligations. Organisations must provide more information on what data they hold and what they do with that data, both for those inside the organisation, such as employees, and those outside it, such as customers or clients.
Because the GDPR requires data protection and privacy by design and default, organisations need to build appropriate privacy requirements into their day-to-day operations and notify the ICO, and any individuals affected, if certain types of data breach occur.
What’s staying the same?
The GDPR’s data protection principles are similar to those under the DPA (except there are six, instead of the current eight). Organisations must be able to demonstrate that any personal data they handle is:
• processed lawfully, fairly and transparently
• collected for specified, explicit and legitimate purposes
• adequate, relevant and limited to what is necessary
• accurate and kept up to date where necessary
• kept for no longer than is necessary where data subjects are identifiable
• processed securely and protected against accidental loss, destruction or damage.
The definition of data processing will be similar to the existing one, although the definitions of personal and sensitive data have been expanded. The conditions for lawful data processing are similar too, but there are changes to the way organisations can rely on these.
Data subjects’ rights are broadly recognisable, as are restrictions on processing data, but there is a new right to be forgotten. Likewise, data security obligations under the GDPR are similar to those currently in place, but there are some increased requirements.
Expansion of Individuals’ rights
While many of these rights are similar to those under the current DPA, the GDPR expands them and introduces new ones. Data subjects, including employees, will have the:
• right to be informed about the processing of their personal data
• right to rectification if their personal data is inaccurate or incomplete (requests to amend data will normally have to be processed within one month)
• right of access to their personal data and supplementary information, and the right to confirmation that their personal data is being processed
• right to be forgotten by having their personal data deleted or removed on request where there is no compelling reason for an organisation to continue to process it (again employers will have to respond without undue delay and within one month of the request)
• right to restrict processing of their personal data, for example, if they consider that processing is unlawful or the data is inaccurate
• right to data portability of their personal data for their own purposes (they will be allowed to obtain and reuse their data)
• right to object to the processing of their personal data for direct marketing, scientific or historical research, or statistical purposes.
Consent – traditionally the fall-back position for validating the collection, processing and transfer of employee data – will no longer be a safety net for employers. Organisations will need to either find a new route for obtaining employee consent, or find another ground on which to lawfully process employee data.
Under the GDPR, organisations will need to demonstrate in each instance that employees were:
• informed of the purpose and use of their personal data
• given a clear explanation of how it will be treated.
Newsletter 2 of 2 on the General Data Protection Regulations (GDPR)
Last week’s newsletter outlined the principles of the GDPR and gave a background to Data Protection and the new GDPR. I explained what was staying the same, individual’s rights and consent. In this final newsletter we will look at some of the other areas of the GDPR and how it might impact on your business.
Lawful grounds for processing data.
Identifying an alternative lawful ground for processing employee data is unlikely to be difficult (for example, collecting and holding bank details in order to pay a salary as part of an employment contract) but the range of employee data collected, the variety of reasons for collecting it, and uses it will be put to, pose a bigger problem. Employers will need to consider each separate category of employee data and record the grounds on which they will be lawfully processing it in each case.
Where employers have been using consent as a legal basis for processing personal data, it will remain valid, provided it meets GDPR requirements. If it doesn’t meet them, employers will need to renew it.
Organisations may process personal information lawfully for a number of reasons, including in order to:
• perform an employment contract
• comply with a legal obligation
• protect the employee’s or another individual’s vital interests (for example, medical data during a health emergency)
• carry out a task in the public interest, or in exercising official authority vested in the employer
• protect the legitimate interests of the employer or a third party, except where this is overridden by the interests or rights of the employee.
Personal and sensitive personal data
Personal data is any information relating to a person who can be identified, directly or indirectly, either by an ‘identifier’ (a new concept under the GDPR) such as their name, or an identification number, or by location (also new for GDPR) or online data, or through factors specific to the physical, physiological, genetic (also new), mental, economic, cultural or social identity of that person.
Under the GDPR, it will be legitimate to process ‘sensitive personal data’ where necessary to carry out an employment contract or collective agreement obligation. What counts as ‘sensitive personal data’ will remain broadly the same. It is information on racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life and sexual orientation, and genetic or biometric data (for example, fingerprint images for security or internal payment systems).
Two examples of sensitive personal data are criminal records and medical records. Criminal records checks will remain permissible when recruiting for a role which involves working with children or vulnerable adults but, as now, employers will not be allowed to carry out criminal records checks routinely.
Processing medical records will also remain permissible under the GDPR where necessary for preventative or occupational medicine, assessing working capacity, or confirming medical diagnoses.
Consent is not necessarily required, but the organisation must put in place safeguards on confidentiality. Employers will need to tell employees why the organisation is collecting the information, what is going to happen to it, who will see it, and so on.
Accountability and privacy by design
The GDPR requires businesses to demonstrate their compliance with the data protection principles and states explicitly that it is an organisation’s responsibility to do so. This means employers will have to:
• ensure and demonstrate compliance (for example, staff training on internal data protection policies, auditing processing activities, and reviewing HR policies)
• document data processing activities
• appoint a data protection officer (DPO) where appropriate
• only collect personal data that is adequate, relevant and necessary
• remove names from data (anonymisation) or use data encryption to anonymise it
• be open with employees about processing their data and allow them to monitor that processing
• improve data security features
• identify and limit any detrimental effects of data processing on individual privacy.
Data protection officers (DPOs)
Any organisation can appoint a DPO but, under the GDPR, organisations that are data controllers or processors will have to appoint one if they:
• are a public authority
• carry out large scale systematic monitoring of individuals
• carry out large scale processing of special categories of data or data relating to criminal convictions and offences.
Data subject access requests (SARs)
The rules and the penalties around subject access requests are more onerous under the GDPR. The current £10 fee will disappear, although organisations will have some discretion to charge a reasonable fee, based on administrative costs, in limited cases where the request is ‘manifestly unfounded or excessive’ (for example, repeat requests from the same individual) or where there are grounds to refuse the request (such as vexatious or repeated requests for the same data).
Organisations must respond to a SAR without ‘undue delay’ and within one month (although this can be extended by up to two months for particularly complex requests). Currently the timeframe for responses is 40 days. There is no restriction on the number of SARs a data subject can make.
The first copy of a SAR response must be provided free of charge, although employers can charge a minimal fee for additional copies, and the data must be provided in a structured, commonly used and machine-readable format. Organisations can only refuse to respond to a SAR that is not specific or made for non-data protection purposes. Breaching the SARs rules falls into the higher tier of fines.
Employers need to be prepared for SARs being used to obtain information which may be useful in a tribunal claim. Organisations should:
• identify who is responsible for responding to SARs and provide sufficient training for them
• make staff likely to receive SARs (managers and HR teams) aware of the new rules
• make sure SARs are dealt with as efficiently as possible.
When organisations receive a SAR, they should:
• check its scope
• identify onerous SARs or those made for non-data protection purposes
• set clear deadlines for responding
• follow a procedure for preparing the response and document it.
Organisations using third parties, such as payroll providers, external HR resource providers and recruitment agencies to process employee data will be responsible for ensuring the third party is GDPR compliant.
Under the GDPR, organisations will need a level of data security appropriate to the risk involved in processing that data. The size of the organisation, how it operates, the volume and nature of personal information processed, and the potential harm that could result from a security breach, are all relevant.
In addition to having a clear policy for dealing with security incidents, organisations should:
• carry out a risk assessment of data systems and act on the results
• maintain up-to-date security systems (for example, using firewalls and encryption technology)
• restrict access to personal data to those who need it
• train staff on data security
• review data security regularly.
• Record-keeping and the right to correct
Action plans for Employers
Organisations should carry out an audit to identify any data protection risk areas and take the first steps towards creating a data protection by design and default culture.
HR teams should identify:
• what personal and sensitive personal data is obtained from employees
• how and where that data is stored, accessed and used, and the legal basis for collecting, storing and processing it
• what data is shared with third parties
• what kind of monitoring of employees takes place and where.
They should prepare an action plan that specifies what needs to be done when (bearing in mind the compliance deadline), who will do what and any internal and external support required.
They also need to:
• consider what documentation must be prepared or updated
• review policies and processes and decide which to change (different policies may be needed for employees and managers)
• reinforce the changes through training (and keep attendance records)
• think about what needs to be shown to whom to demonstrate compliance.
For support and advice on the GDPR please contact me on 07880207483 or email me on [email protected]