Here's how Employers can Demonstrate Compliance with the GDPR
On the 25th of May 2018, the General Data Protection Regulation ('the GDPR') came into force across EU states, including the UK. The UK Information Commissioner's Office ('the ICO') has repeatedly stressed that the introduction of the GDPR is not intended to instigate a panicked box-ticking exercise (although you would be forgiven for thinking so with the recent barrage of emails you will have received!), but rather a catalyst for cultural changes within organisations in order to re-focus their attention on data privacy. In fact, the GDPR is similar in many ways to the Data Protection Act 1998 under which data protection was previously governed. However, although many of the principles are similar or the same as those under the 1998 Act, there is now a new requirement under the GDPR which provides that data controllers (such as employers) will need to actively demonstrate compliance by having appropriate measures and records in place. This means that there is now increased importance placed upon having up-to-date policies, procedures, and contractual documentation to demonstrate an organisation's compliance with the GDPR.
The Employment and Holistic HR Team at MBM Commercial have been providing guidance and support to clients regarding the employment related documentation employers should have in place to comply with the GDPR. In particular, we have been recommending that companies implement:
It is important to update staff contracts as many previous contractual clauses covering data protection will now be outdated in light of the GDPR. For instance, a previous data protection clause might have indicated that the employee 'consents' or 'agrees' to the company processing their personal data. It is inadvisable to retain contractual clauses such as these now that the GDPR has come into force. This is because under the GDPR consent must be 'clearly distinguishable from other matters, in an intelligible and easily accessible form, using plain and clear language'. If consent is requested as part of an employment contract, it may not be clearly distinguishable from other matters and it could therefore be rendered invalid. Furthermore, the GDPR says that consent must be 'freely given, specific, informed and unambiguous'. In an employment context therefore, it may now be difficult to rely on the basis of consent as the GDPR states that consent will be invalid where there is a clear imbalance between the data subject and the controller (i.e. there is an imbalance of power in favour of the employer). There are also other reasons why consent may not be the best option to rely on as a lawful basis for processing an employee's personal data. For instance, consent can be withdrawn at any time, which could be unworkable in the employment context (e.g. if consent is withdrawn to hold the employee's bank details then they cannot easily be paid). Therefore, we have been recommending that data protection clauses in employment contracts are worded in such a way so that consent is not relied upon as the lawful basis for processing. Instead, a data protection clause can direct employees to the standards that they needs to comply with when processing data to make sure that the company is GDPR compliant, and where they can find out what information about the personal data that the company holds on them (including the lawful bases they are relying on, amongst other things).
We have also been recommending that employers put in place GDPR compliant Privacy Notices for all employees, workers, consultants, and job applicants. There must be sufficient information provided about the processing that an employer undertakes, and this must be presented in a concise, transparent, easily-accessible format, written in plain language. A Privacy Notice should include information such as the purposes of and legal basis for the processing, the recipients or categories of recipients of the personal data, and information on the employee’s rights to access, rectify, erase, restrict or object to processing, as well as their right to data portability. Privacy notices must be regularly reviewed and updated to make sure they are still relevant to the processing of personal data that the organisation undertakes.
With regards to how staff should handle the personal data of third parties and fellow employees/consultants etc, a Data Protection Policy can be really useful to set-out the privacy standards that are expected on a company-wide basis. The policy can cover areas such as the process for making Subject Access Requests, how to report data breaches, and what to do if a customer requests to have their information erased or transferred. A policy such as this can help an employer demonstrate compliance with the GDPR as they are actively setting good standards of data security for all members of their organisation to comply with. A Data Protection Policy can sit within an Employee Handbook (please note that previous pre-GDPR policies relating to data protection should be removed), or it can be implemented as a stand-alone policy. In both cases, employees should be consulted with regards to the new policy and have the opportunity to ask questions.
If you require any more information on the employment documentation your company needs to have in place to be GDPR compliant, please contact the Employment Team at MBM Commercial on 0845 345 5004 or fill out our online contact form. We are pleased to announce that as part of our Holistic HR service which provides unlimited HR and Employment Law advice (amongst other benefits), we can offer a more in-depth Employer's Guide to the GDPR, as well as template contracts and policies that are GDPR compliant.
If you require further advice on GDPR compliance across your organisation (for instance in relation to client data) please contact our IP Data and Contracts Team by emailing Andy Harris at firstname.lastname@example.org.
Partner and Head of Employment Law & Holistic HR
Tel: 0131 226 8216