The General Data Protection Regulation (GDPR) is due to come into force on 25th May 2018, which means that there is now less than a year to make some very significant changes to the way that businesses process data about people – and that includes their employees and job applicants. If you haven’t heard much about it yet, don’t worry - you will do over the next few months! This is going to be very time-consuming and so you need to start your preparations now, if you haven’t already done so.
At the moment, under the Data Protection Act (DPA) it is normal practice to gain consent to process employee data by including a clause in their employment contracts, but the GDPR is going to tighten the rules for gaining consent. The regulations say that consent will need to be explicit, informed and given. That means that the current method of gaining consent will no longer be valid. In fact it seems that the general view is that consent cannot freely be given due to the imbalance of power in an employment relationship. The thinking is that employees are never truly free to give consent to their employer because there might be adverse consequences if they say no, as well as the fact that consent can be withdrawn at any time.
But employers will still need to process data, so there will be a greater focus on the legal basis for doing this (rather than relying upon consent) and employers will need to rely upon other grounds, for example that the processing is necessary for:
• Compliance with a legal obligation (e.g. processing data for tax or reporting purposes or to provide statutory entitlements such as annual leave, maternity pay or sick pay);
• The performance of a contract (e.g. monitoring attendance); or
• The purposes of the legitimate interests of the employer or a third party (e.g. to undertake an investigation relating to a dispute).
Under GDPR employers will have to provide more detailed information than they are required to now. Some businesses will be required to appoint a Data Protection Officer, for example public authorities and those who process sensitive personal data on a large scale such as health service providers.
The sort of information that you will be required to provide to employees and applicants include:
• the purposes for which the data will be processes and the legal basis on which you will be relying to process it;
• the categories of personal data to be processed;
• the recipients of the data;
• any transfer of the data outside of the European Economic Area;
• the period of storage;
• the rights of data subjects (i.e. the people about whom the information is held) to access, rectify and require erasure of the data or to withdraw consent or object etc.
• the consequences of failing to provide data necessary to enter into a contract; and the existence of any automated decision-making and profiling, and the consequences this may have for the data subject.
You will be required to provide the information at the time you collect the data and if you subsequently wish to use it for any other purpose, you will need to inform the employee or job applicant.
The record keeping requirements will be somewhat onerous and you will need to keep extensive internal records of your data processing operations, which must be produced to the ICO for inspection on request. Such a register would cover the sorts of information as described above, but would also need to cover the technological and organisational security measures used to safeguard the data.
Employees will have enhanced rights including the right to have data corrected, erased or destroyed, but these will be balanced by any legitimate business rights to hold and process that information.
Under the GDPR, organisations will need to disclose a data breach to the appropriate authorities within 72 hours. If the breach poses a high degree of risk to the rights of the individuals concerned, the business will also need to inform the people affected as well.
The rules around Subject Access Requests (SARs) are changing too, so if one lands on your desk from 25th May 2018 you will need to respond more quickly. At present, companies have 40 days to respond, but this is reduced to a month under the GDPR. So if you keep your register up-to-date, this will help you comply with the tighter time-scale
The fees organisations can charge for SARs, currently a maximum of £10, will also disappear under the new regulation. Furthermore, given that such request are sometimes used as a run-up to a tribunal claim, the abolition of employment tribunal fees could have a further effect on the number of requests businesses receive.
If you use an element of automated profiling during your recruitment activities to filter through applicants, e.g. searching for CVs that mention certain skills and qualifications or automated tests you will need to reconsider how you do this because employee will have a right under GDPR not to be subject to a decision based solely on automated processing where that decision significantly affects them. Similarly if you use such processes for other purposes such as sickness absence monitoring you will need to make sure that all such resulting decisions are not made solely on the basis of the computer generated data – there needs to be a human intervention as part of the review.
With the maximum fine standing at 4% of global annual turnover or €20m – whichever is greater – the potential penalties under the GDPR have attracted a lot of attention. However, the UK Information Commissioner, has said that the highest fines will only be applied to the most serious breaches and will not be handed out for lesser infringements. She is more interested in helping businesses to comply with the regulations. This article has given a very brief summary of the changes that will be coming into effect and for more information from the ICO see https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/
If you need any specific help with your move to comply with GDPR, please get in touch.