The General Data Protection Regulations (GDPR) will come into force on 25 May 2018 and will be directly applicable to all EU member states.
The Data Protection Bill is also making its way through Parliament and will replace the Data Protection Act 1998. The UK Government has decided to introduce the Bill to ensure that UK and EU data protection laws are aligned post Brexit.
HR departments will need to make sure that they are familiar with the new obligations placed on businesses under the GDPR to ensure compliance. We have set out below answers to some of the most common questions raised by employers in the lead up to the implementation of the GDPR.
Can employers continue to rely on consent in employment contracts?
Under both DPA and the GDPR consent is one way to process personal data. However there is a higher threshold of consent under the GDPR as it must be freely given, specific, informed and unambiguous. Consent will not be regarded as freely given if there is no genuine choice on the part of the employee. It is not uncommon for contracts to be offered to employees on a “take it or leave it” basis and therefore it is unlikely that consents contained in employment contracts will be valid under the GDPR. Employers may wish to consider advising employees that clauses in their contracts of employment dealing with data protection consent no longer apply and refer employees to the employer’s policy on data protection or their privacy notice (see below).
The ICO have also published a consultation document on consent which states that consent will not be freely given if there is an imbalance in the relationship and employers and public authorities should consider alternative lawful basis for processing data.
How do employers process personal data if they cannot rely on consent?
Employers may wish to consider other conditions for lawful processing that can be relied upon under the GDPR such as:-
- the processing of the data is for the legitimate interest pursued by the employer; or
- it is necessary to fulfil obligations under a contract of employment.
Employers will also need to notify employees how they use their data through “privacy notices”. Employers already have an obligation under the DPA to notify staff how their data will be used. However, the GDPR requires privacy notices to contain much more information which will include which condition the employer is relying on under the GDPR to process personal data, retention periods of personal data, the rights of the data subjects (such as subject access, right to rectification, right to be forgotten etc) categories of data being processed, how to raise a complaint etc. These notices will need to set out the above matters so employees can see how the employer intends to process their personal data in a concise and transparent manner.
When dealing with special categories data (sensitive personal data), such as medical records, employers should continue to seek explicit consent to legitimise the processing of that data unless it can rely upon another condition under the GDPR such as that the processing is necessary for carrying out obligations under employment, social security or social protection law.
Has the law changed on Subject Access Requests?
Under the GDPR employers are no longer permitted to charge a fee of £10 to carry out a data subject access request. The timeframe to comply with the request has also been shortened from 40 days to one month. However the GDPR does allow employers to apply for an extension of 2 months to comply with the request.
The GDPR also gives employers a right to refuse to comply with the subject access request or charge a fee if the request is “manifestly unfounded or excessive”. Although this is welcome news for employers the GDPR does not define “manifestly unfounded or excessive”, so employers should exercise this right with caution until there is further guidance from the ICO or the courts.
What are the new employee rights?
Employees will have additional rights under the GDPR as they can ask for their personal data to be rectified if it is incorrect, deleted (if the processing is no longer necessary), or frozen.
Employees will also have the right to ask for their data to be transferred from one data controller to another. This right is known as data portability under the GDPR but it only applies to personal data the employee has provided to the data controller.
Implications for non-compliance
Under the DPA organisations can be fined up to £500,000 for a serious breach of the DPA. However the GDPR provides that organisation can be fined a maximum of 20 Million Euros or 4% of the company’s annual worldwide turnover if higher. Given the severe penalties for a breach of the GDPR compliance should be at the very top of every organisation’s agenda.
Next steps
HR departments may wish to consider the following in order to comply with the GDPR:-
- carry out an audit of what personal data you process and consider whether consent is the best way to process data;
- consider whether you should rely on alternative conditions other than consent for processing personal data under the GPDR;
- ensure there are procedures in place dealing with the new data subject rights such as data portability, the right to be forgotten, the right for data to be rectified and the right for data to be frozen;
- ensure privacy notices are updated and employees have access to these;
- consider whether a separate privacy notice needs to be prepared and sent to job applicants or whether such notices can be incorporated into an online application process;
- amend new contracts of employment to remove consent clauses for new joiners;
- notify existing employees that consent clauses in their contract no longer apply; and,
- arrange training for staff on the impact of the GDPR.
The GDPR will not only affect employees but also customers of an organisation. Accordingly, HR teams will have to liaise with other departments within the organisation to ensure that it has adequate procedures in place to process personal data and there is a joined up approach to implementing the GDPR.