The General Data Protection Regulation (GDPR) is an EU regulation which will replace the UK Data Protection Act 1988. The aim of this Regulation is to guarantee the fundamental right to personal data protection across the EU. The Regulation will likely have an impact on the ways that employers store and gain consent to retain information about employees. In this blog, we shall provide a brief outline of the Regulation, and the main ways that it shall affect Employment Law and HR.
The application of the Regulation extends to organisations which carry out processing outwith the EU but offer goods and services within the EU that process or store information. The GDPR should come into force in the UK on 25th May 2018, the Government having confirmed the Brexit process will not affect its commencement. This is because the GDPR (being an EU Regulation) will be directly incorporated into the UK legal system without the need for UK implementing legislation before Brexit. The incorporation of the Regulation is important as if the UK wishes to trade with the EU at all post-Brexit, whether as part of the single market or otherwise, it will need to demonstrate an 'adequate' level of data protection. Therefore it is likely that the UK will continue to implement the regulation post-Brexit.
What are the implications of the GDPR from an employment perspective?
The Information Commissioner has published “The Employment Practices Data Protection Code” which deals with the impact of GDPR on the employment relationship. The Code discusses issues such as obtaining information about workers, and retention of and access to records. Please find a link to the code here:
From an employer perspective, the first step is to understand the flow of personal data within your business. For international organisations this will require a further understanding of how such data flows across borders within the group. For example, where employers outsource a particular function, perhaps data hosting (which includes HR data) and/or management of payroll service, such services will be subject to more stringent obligations under GDPR. Moreover, non-EU affiliates using shared resources and/or centralised functions are likely to be directly affected by the GDPR given its further territorial scope.
Organisations should therefore review their existing contracts in light of GDPR, assessing current policies and procedures in place while considering the flow of data across the business. Going forward, the increased obligations and liability under GDPR should be considered in future negotiations to ensure an adequate risk allocation with suppliers. In general, it has been considered that businesses should expect more lengthy and difficult negotiations with suppliers as they try to address their new exposure under GDPR.
In addition to this there are several key areas of data protection in relation to employment that shall change as a result of the new Regulation:
(1) Consent to Process and Store Data
A key change which GDPR implements concerns consent as a condition for processing employee data. Similar to the Data Protection Act 1998 (DPA), the GDPR also requires the processing of personal data to be in accordance with certain conditions of processing.
One of these conditions which many employers currently use as justification for data processing, is the data subject's consent, with wording in privacy notices and/or employment contracts used to confirm the employee's consent to the processing of their personal data. The strength of such consent is already questionable under the DPA due to the imbalance of the employer and employee relationship.
Furthermore, consent is often obtained in conjunction with the employment, i.e. to get the job, the employee must sign the employment contract and consent to the processing of personal data. The GDPR introduces a higher burden for consent - it must be freely given, specific, informed and clearly indicated by a statement or positive action. If consent is given through a written declaration it must be clearly distinguishable from other matters and easy to understand.
To obtain specific consent, when processing has multiple purposes and consent is being relied on for each purpose, consent needs to be obtained for each purpose. Additionally, prior to giving consent the employee must be informed they have the right to withdraw consent at any time, and it must be as easy to withdraw consent as it is to give it.
Going forward, the onus will now be on the employer to show the employee gave adequate consent. Before the implementation of the regulation as law, employers should assess the legal grounds used for their processing of personal data, and consider whether it is still appropriate to rely on consent. An alternative would be for an employer to rely on the condition that processing is necessary for legitimate interests (for example when processing personal data for administrative purposes). It is not yet clear as to the higher threshold for sensitive personal data of explicit consent, however, it is understood that this will also be required to be freely given, specific, informed and unambiguous.
Transparency requirements under the GDPR require companies to provide individuals with extensive information about how their personal data is collected, stored and used. This information must be easily accessible, transparent and presented using clear and plain language.
In practice, this means that companies will need to include more information in their privacy policies and fair processing notices, as well as retaining more detailed records of their data processing activities in relation to its employees.
In accordance with the concept that personal data must be processed fairly and lawfully, the GDPR requires employers to provide employees and job applicants with detailed, fair processing notices. These notices should set out the personal data collected, the type of processing that occurs, retention periods, any international transfer of data, data subject rights such as subject access requests, right to data rectification, erasure, objection to processing and data portability. GDPR compliance requires an ongoing assessment of processing activities. Any fair processing notices and privacy policies will need to be kept under review to ensure they accurately capture any new types of data collected or any additional or different processing of such data.
(3) Right of portability
Data subjects will have the right to request that their personal data be provided to them (or a third party) in a machine readable portable format free of charge. Employers should consider how and where the personal data is held and if such data can be easily transferred in a safe, secure manner without impacting the usability of such data by the data subject. The employer will need to comply with such requests without undue delay, and in any event within one month.
(4) Right to be forgotten (right to erasure)
Data subjects have the right to request for the removal or erasure of personal data, for example if it is no longer necessary, the individual objects to such processing and/or the individual withdraws consent. Not only will employers need to comply with such requests, but it will need to ensure that any third party with whom such employee data was shared, also deletes such data.
(5) Data subject access requests
Under the GDPR the right of data subjects to request information about the personal data processed by employers remains largely the same. However, under the new regime employers must respond without undue delay and in any case within one month of receipt of the request. Additionally, the £10 fee for making a request will also be abolished.
The new data subject rights may present practical issues for employers and HR teams, especially where employee data is spread across multiple or complex systems. Employers will need to update the relevant policies and procedures to reflect the new GDPR requirements. HR teams should review existing procedures in place when responding to data subject access requests to ensure the new time scales can be met.
(6) Additional Rights
The rights of future, current and former employees, as data subjects, are extended under the GDPR, presenting greater obligations on employers and HR teams. For example, employees will have a new right of portability, a right to erasure and additional rights in relation to subject access requests.
If you would like to discuss how GDPR will affect your business or any other employment or HR related issue, please contact Hannah and Katie on 0845 345 5004 or fill out our online contact form.