The UK’s Data protection rules are set to dramatically change with the introduction of the EU’s General Data Protection Regulation (GDPR) on 25th May 2018. The new regulations will involve significant changes to how organisations process data. The new restrictions being brought mean that there will greater penalties for failing to meet data protection regulations. The introduction of GDPR will have a serious impact on employers in terms of how personal data is processed and stored for not just employees but also for contractors and job applicants.
Don’t let Brexit allow you to think that GDPR won’t apply to the UK as we will still be in the EU when the new legislation comes into force and it is likely that the UK Government will adopt the same or similar legislation when we do eventually leave the EU.
Breaching the law could subject a company to significant fines of up to €20 million, or 4% of an organisations’ global annual turnover, whichever is higher.
The major changes that GDPR will have on HR information are:
1. Data protection by design and default – A new approach to data that will require organisations to embed privacy considerations in both operational and strategic HR. Employers need to ensure that only personal data necessary for each specific purpose is processed. This includes ensuring that:
- only the minimum amount of personal data is collected and processed for a specific purpose;
- the extent of processing is limited to that necessary for each purpose;
- personal data is stored for no longer than necessary; and
- access to the data is restricted to that necessary for each purpose.
2. Processing by consent – Many employers process employee personal data based on consent. This approach has been increasingly criticised, as the validity of employee consent is questionable due to the imbalance of power in an employment relationship. Under GDPR consent must be “freely given, informed, specific and explicit”. Where an employer obtains consent in a written declaration that also concerns other matters, the request for consent must be presented in a manner that is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. This means that broad consents in employment contracts to process employee data will not be valid. Further, the requirement that consent be freely given means that valid consent will generally be difficult to obtain in the employment context due to the imbalance of power.
3. Legal basis for processing – There will be a greater focus on the legal basis for processing personal data under the GDPR. As processing employee data on the basis of consent will be problematic, employers will need to rely on other grounds, including that processing is necessary for:
- compliance with a legal obligation;
- the performance of a contract; or
- the purposes of the legitimate interests of the employer or a third party.
If an employee objects to processing based on legitimate interests, the employer cannot process the data unless it shows that its legitimate interests are sufficiently compelling to override the interests or rights of the employee, or that the purpose of processing is to establish or defend legal claims. The right to object could cause significant delay and disruption in the context of disciplinary or grievance procedures, redundancies, terminations of employment or business sales.
4. Information for employees and job applicants – Under the GDPR, employers will be required to provide more detailed information than under the Data Protection Act 1998 to employees and job applicants about the processing of their personal data. Under GDPR, information that employers must provide includes:
- the identity and contact details of the employer as a data controller;
- the data protection officer’s (DPO) contact details (if the organisation has a DPO);
- the purposes for which the data will be processed and the legal bases for processing, including, if relevant, the legitimate interests relied on;
- the categories of personal data to be processed;
- the recipients of the data;
- any transfer of the data outside the European Economic Area (EEA);
- the period of storage;
- the rights of data subjects, including the right to access, rectify and require erasure of data, the ability to withdraw consent or to object to processing, and the right to lodge a complaint with the supervisory authority;
- the consequences for the data subject of failing to provide data necessary to enter into a contract; and
- the existence of any automated decision-making and profiling, and the consequences for the data subject.
Employers must provide the information at the point of data collection. Where an employer wishes to process existing data for a new purpose, it must inform employees or job applicants of that further processing.
5. Data subject access requests – Employees have an existing right under the Data Protection Act 1998 to obtain from their employer (or former employer):
- confirmation as to whether or not their personal data is being processed;
- information on their data, including the purpose of processing, categories of data collected and the recipients of such data; and
- a copy of the data being processed.
Under the GDPR, employers must provide the requested information within one month of the request (three months in the case of complex requests), and free of charge unless the request is manifestly unfounded or excessive. The GDPR places much more rigorous obligations on employers to ensure that there are systems in place to ensure that they comply with access rights, with particular emphasis placed on the clarity, transparency and accessibility of such systems.
6. Accountability principle – One of the biggest changes under the GDPR is the new principle of accountability; the GDPR requires employers to demonstrate compliance with the data protection principles. This will mean enhanced obligations for employers, including a requirement to keep extensive internal records of data processing operations, which must be produced to the supervisory authority for inspection on request. Employers should create a data register to meet their record-keeping requirements. This should be an up-to-date written record containing information about all personal data processed by the organisation, including:
7. Automated decision-making – Employees have a right under the GDPR not to be subject to a decision made solely by automated processing where that decision significantly affects them. This includes decisions based on profiling (any form of automated processing to evaluate certain personal aspects of individuals, in particular to analyse or predict indicators such as their performance at work, health, personal preferences, reliability and behaviour). The GDPR requirements regarding automated decision-making mean that employers should incorporate human intervention into automated processes that significantly affect employees unless they are relying on an exception to the rule.
GDPR will become law on 25 May 2018 and that is a “hard deadline”. Organisations will need to be 100% compliant from day one.
Accountability needs to be entrenched in an organisation, requiring a cultural and organisational shift and for companies to take a proactive, methodical and answerable approach toward compliance.
For more information on how to comply with GDPR please speak to us at Solve.