It’s a hot topic right now. Come 25 May 2018 the UK (and the rest of Europe) will be updating its data and information protection by implementing the General Data Protection Regulations (GDPR).
What’s changing and how to get on board
With the magnitude of data about us all so freely available and so frequently misused, many will welcome the major overhaul of data processing and data protection which the new regulations seek to bring about. But the new protections won’t be achieved without pain – significant work will be needed by almost every organisation to prepare for the change.
To give you a head-start, we’ve rounded up some of the major changes below and suggested how you might begin to approach the task.
GDPR will affect all business functions, and HR will feel the impact significantly, given that processing of employee data is a fundamental part of the HR function. In this update we cover the key areas of GDPR’s impact for HR functions, providing some ideas to get you ready.
While much of the existing Data Protection provisions will remain, GDPR tightens these by introducing new concepts, new approaches to data and tighter restrictions on processing data.
It will also expand rights for data subjects and significantly increase sanctions for failure to comply with the GDPR (a hefty fine of €20 million or 4% of the Group Company turnover, whichever is greater).
This is one of the areas of significant change under the GDPR. It’s a clear move from a ‘tick box’ exercise to a requirement to demonstrate compliance. Firstly, it will mean reviewing your current data processing and auditing your data flow. The audit should cover:
- what types of data you have
- where you store the data
- where you send the data
- how you process the data
- what you advise people regarding the processing of their data
From this data flow audit, you will be able to decide how to manage historical data and what steps should be put in place to ensure compliance at the implementation date.
Once you have taken these steps, to enable you to satisfy the requirement for ‘accountability’ and meet the record keeping requirements, it is advisable to create a Data Register. The register will need to be up-to-date and contain the following:
- the purposes for which you are processing the data
- a description of the categories of data subjects
- categories of personal data, including if the data is sensitive personal data
- the categories of recipients of the data
- any transfer of the data outside the EEA
- the anticipated periods of storage for the different categories of data; and
- the technical and organisational privacy and security measures used to safeguard the data
Whilst not strictly obligatory, we would generally recommend that employers also record the legal basis for processing the data, any legitimate interests relied on and activities associated with the data and the location of the data (see below for changes to the basis for processing).
Recording this information will also assist in complying with Subject Access Requests since it should be easier to identify the relevant data, where this stored and how it is processed.
Under this principle of accountability employers will also have to:
- perform data protection impact assessments for high-risk processing
- designate a DPO in certain instances
- notify and keep a comprehensive record of data breaches; and
- implement data protection by design and by default
Data Protection– By Design and By Default
Data protection ‘by design and by default’ essentially means that employers will need to create and implement data risk assessments for every aspect of the HR function that involves processing data.
This is a move towards avoiding an accidental breach by examining the risk posed by all and any data activity. For example, where an outsourcing exercise is to commence, a full risk assessment will need to be undertaken before progressing. Data controllers and processors must ensure that by default only the minimum necessary level of personal data is collected and processed.
As part of the risk assessment, organisations will need to ensure that there are mechanisms in place to ensure that:
- only personal data necessary for the purpose is processed
- personal data collected and processed is kept to a minimum
- data is stored for no longer than is necessary
- access to data is restricted to what’s required for each purpose
Information About Data Processing
Under the GDPR employers will need to provide employees and job applicants with information about the processing of their personal data. This will include:
- the identity and contact details of the employer as a data controller
- the data protection officer’s (DPO) contact details (if relevant)
- the purposes for which the data will be processed
- the legal basis for processing, including, if relevant, the legitimate interests relied on
- the categories of personal data to be processed
- the recipients of the data
- any transfer of the data outside the European Economic Area (EEA)
- the period of storage
- the rights of data subjects (access rights, right to rectify and right to be forgotten, ability to withdraw consent or to object to processing, and the right to lodge a complaint with the supervisory authority)
- the consequences for the data subject of failing to provide data necessary to enter into a contract; and
- the existence of any automated decision-making and profiling, and the consequences for the data subject
Under the GDPR employers will have to provide this information at the point of data collection, as well as where existing data is to be processed for a new purpose. Personal data cannot be processed without such a privacy notice.
So how will this work in practice?
All of this information should be generated when you undertake your data flow and risk assessments and when you create (or update) and implement your Data Privacy & Protection policy and procedures. The relevant information then needs to be extracted and transferred to an ‘easy to read’ format, which can be given to the relevant individual.
Employee Agreement to Process Data
Currently, many employers rely upon an individual employee’s express consent (e.g. within the contract of employment) to process their personal data. This ‘passive’ approach has been increasingly challenged and criticised, on the basis that in an employment relationship, an employee can never really give free consent because of the imbalance of power between the parties.
Since the GDPR introduces even stricter requirements for valid consent, it is unlikely that an employee’s passive consent to process their data will be enough.
Employers are not required to automatically ‘repaper’ or refresh all existing DPA consents in preparation for the GDPR. But if you rely on individuals’ consent to process their data, make sure it will meet the new GDPR standards. If not, alter your consent mechanisms and seek fresh GDPR-compliant consent, or find an alternative to consent.
So how can organisations justify the processing of an employee’s personal data?
Employers will be relieved to note that ‘consent’ isn’t the only provision which will allow an employer to process data. The following exceptions give scope to processing the information required to enable the employment relationship to be maintained.
The employer must show that the processing of data is necessary for one of the following:
- compliance with a legal obligation (e.g. passing information to HMRC)
- the performance of a contract (e.g. operating the provisions of the contract of employment, such as the payroll)
- the legitimate interests of the employer or a third party (e.g. to resolve a workplace dispute)
Assuming the data being processed is permitted within the GDPR, it should be relatively straightforward for an employer to rely on these. Employees will have the right to object to the processing of their data and, should this occur, the employer should cease the data processing and give the employee reasons for processing. In the early days of the new regime, employers will naturally be wary of proceeding in cases where consent has been withdrawn or denied.
With such potential for disruption, we recommend taking specific advice if you encounter such an issue, to enable you to develop practical steps for dealing with objections.
There will be instances when the processing of data can continue without consent, such as when the rights of the employer override the interests of the employee. An example may be where the employer needs to process the data to establish or defend legal claims.
Although some commentators have suggested that employees will be able to hijack internal procedures by raising objections, we are confident that the remit of the GDPR is such that this could be tackled effectively by organisations putting robust systems in place.
Subject Access Requests
The current rights under the UK’s data protection regime are refined and ‘supercharged’ under the GDPR.
The main changes are that there is no longer a £10 fee attached to the request, and the time limit within which you must provide the information to the employee has been reduced to one month. In particularly complex cases or where there are numerous requests, the limit may be extended to three months. The employer must, however, notify the employee of the need for the extended period within one month of the request.
In relation to the removal of the fee, the GDPR does give employers scope to charge a fee if the request is manifestly unfounded or excessive. There is currently little guidance on this scope within the Regulations and no doubt this, as well as greater clarity on many other provisions, will be forthcoming in due course.
Until further guidance is issued, it could be argued that a fee is justified in circumstances where the employee may be on a ‘fishing expedition’.
Automated Decision Making
Under the GDPR employees have the right not to be subjected to a decision made solely by automated processing, where that automated decision significantly affects them. So for the HR function, it could cover instances where automated systems are used for recruitment; performance management/triggers for sickness absence; attendance bonuses; shift rostering; or employee monitoring.
If there is explicit consent from the employee, or the automated decision-making is necessary for entering into or performing the employment contract, then the automated process can apply.
It is important to remember the issues surrounding consent and to focus on automated processing being “necessary” for the contract. Further safeguards to put in place would include ensuring that human intervention can take place.
In a significant development, data breaches will need to be recorded and reported to the appropriate authority (the Information Commissioner in the UK) within 72 hours. Where the breach is unlikely to result in a risk to the rights and freedoms of individuals, there is no requirement to report it, but employers will need to keep records of all such breaches.
A data breach can include:
- destruction of personal data
- loss of personal data
- altering of personal data
- unauthorised disclosure of personal data
- unauthorised access to personal data
This is much wider than the existing definition of data loss and, given the scope, a structured programme of training is advisable for all employees who will be responsible for processing data, as well as a regular audit of the internal processes which involve processing personal data.
Both those organisations which outsource operations to third parties, and those who provide such services, will note the obligations which GDPR places on all “data processors”.
Under existing data protection provisions, the obligations of third party HR service providers, for example, are primarily to their client, the employer.
This will change in May 2018 so that those data processors will also be directly accountable and liable for any breaches of data processing obligations. Employers wishing to outsource to a third party will need to demonstrate that the service provider has guaranteed compliance with the GDPR and has in place appropriate measures to meet its requirements.
A review of the procurement procedures may be required to achieve this and, where necessary, processes amended to include due diligence exercises on data processors’ GDPR compliance measures.
The prospect of preparing for the new regime may seem daunting, and there’s no time like the present for taking first steps. Preparing for the GDPR is, of course, a task to be addressed across all business functions, although inevitably HR may well be taking the lead. Below are our suggestions for a starting point.
Dealing with GDPR compliance – what steps will get you on board?
- identify a team responsible for the implementation of the programme
- ensure that team members are fully trained and engaged with the organisation’s obligations under GDPR
- conduct a data flow audit and an initial risk assessment to identify high-risk areas and ways to mitigate the risks
- establish a GDPR compliance timeline, taking a risk-based approach. Centre activities on remedial measures for the highest risk areas
- make sure third parties are compliant
- communicate and inform your data subjects
- develop and implement an ongoing GDPR compliance programme
And finally, the Information Commissioner has also been busy with her very clear series of myth-busting blogs on GDPR consent, guidance and breach.