As the drama of Brexit unfolds, the UK is starting to have to make decisions about which forthcoming EU legislation it will take on board despite being in the process of exiting the EU. One piece of EU legislation that has been confirmed as being part of the UK legal landscape in the future is the General Data Protection Regulation (“GDPR”). This regulation will come into force on 25 May 2018 across EU member states, and the UK will also be implementing it at the same time.
The Information Commissioner’s Office (“ICO”) has issued some useful general guidance on the GDPR which can be found here.
A lot of the GDPR is already enshrined in the Data Protection Act 1998 (“DPA 1998”), so if employers comply with that (and in particular the eight principles of data protection) then they should be in a good position to comply with the GDPR.
However, there are some new requirements in the GDPR which will need consideration. Some key points and practical steps to take are set out below:
Subject access requests
For a general overview of what subject access requests are, please see our previous article here.
The rules around subject access requests will be changing. Once the GDPR is in force, employers will have only one month from the date of receipt of a subject access request to comply (as opposed to the current 40 days). There can be an extension for a further two months if necessary, if the request is complex. Employers will also no longer be able to charge a £10 fee (unless the request is excessive, in which case a proportionate fee can be charged).
Employers will only be able to refuse “manifestly unfounded or excessive requests”, and will need to have policies and procedures in place to set the criteria for refusal. When a refusal is made, employers will then need to be able to demonstrate why the request met that criteria.
This change means that organisations will have less time to consider and deal with a subject access request. Subject access requests are generally quite complex and time-consuming to deal with as many requests can be vague or require extensive searches to be undertaken across the organisation. Under the GDPR, there will be even more pressure put on employers to comply within a short timescale and for most, this will not be a welcome change.
Significant penalties can be imposed on employers that breach the GDPR, including fines of up to €20 million or 4% of annual worldwide turnover, whichever is higher. This will certainly make some sit up in their chairs and think about data protection!
The level of fine will depend on the type of breach and any mitigating factors, but they are a significant increase as compared to previous fines under the DPA 1998 (in the UK the maximum fine is £500,000).
Under the DPA 1998, there must be legal grounds for justifying the processing of personal data. For many employers, and often for organisations providing services as well, the most utilised legal ground is obtaining consent. The usual practice is for employment contracts to contain a general clause which specifies that an employee is consenting to their personal data being processed.
Under the GDPR, individuals’ rights will be modified depending on the legal basis for processing their personal data. In addition, the GDPR is much more prescriptive about requirements for obtaining consent, and specifies that it must be made clear that individuals (including employees) can withdraw their consent at any time. The GDPR says that consent must be freely given, specific, informed and unambiguous. Where the legal ground for processing is consent, individuals will have stronger rights in regard to their data (such as the ‘right to be forgotten’).
The general consensus is that initially employers should be thinking about conducting a data audit to set out where and why they process any employee data. This is actually quite hard given the complexity and nuances of dealing with employee data! Employers will then need to see what legal ground they have to be able to process such data. In very general terms, the legal grounds for processing data under the GDPR will be as follows:
- Consent of the data subject.
- Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract.
- Processing is necessary for compliance with a legal obligation.
- Processing is necessary to protect the vital interests of a data subject or another person.
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.
It is possible that a solution will be for employers to get employees to sign a more detailed and separate consent form, rather than making it part of the employment contract. The reality is that very few employees are going to object to their employer processing their data. However, employees will need to be informed about their right to be able to revoke consent at any time, which is why a separate consent form may be useful. This will also be evidence of the consent having been given.
The above said, the GDPR says that consent will not be freely given where there is an imbalance in the relationship and this is likely to be the case in an employer-employee relationship.
Therefore, given the increased complexity around obtaining consent, it may be very wise to consider if there are other grounds that can legitimately be used to justify processing employee data and to utilise those wherever you can. The ICO has indicated that the “legitimate interests” ground is likely to be the most relevant for employers. If there are other legitimate grounds, then employers will not need to seek consent.
The ICO has issued draft guidance about consent under the GDPR – this can be found here.
Data breach notification
The GDPR imposes a new mandatory data breach reporting requirement. Where there has been a breach (for example, an accidental loss of data, or hacking of computer systems with data revealed on the internet), an employer must to notify the ICO about this within 72 hours. If that timescale is not met, there will need to be justification as to why the breach was not reported within that timeframe. Where the breach poses a high risk to the rights and freedoms of the individuals, those individuals will also all have to be notified.
There have been some infamous data breaches over the past few years, including the recent NHS data breach. Prevention is better than cure, so employers should be reviewing safeguards and putting policies or systems in place so that data breaches do not occur in the first place.
Employers should also have policies and procedures in place (plus training on these) to ensure data protection breaches are recognised, reported to the right person (who can make decisions on whether to report to the ICO), and are reported quickly.
Under the current law, employers are required to provide employees and job applicants with a privacy notice which covers things such as information on how you use their information. Under the GDPR, employers will need to provide more detailed information in privacy notices, such as:
- how long data will be stored for;
- if data will be transferred to other countries;
- information on the right to make a subject access request; and
- information on the right to have personal data deleted or rectified in certain instances.
Data protection officers
All public authorities, and those private companies involved in regular monitoring or large-scale processing of sensitive data (for example, health data), will need to appoint a data protection officer to carry out activities related to the GDPR and monitor compliance.
It is important to be thinking about the GDPR now given that it will be in place in a year’s time. The first step is to audit what data you process and why you need to process it. This will then help you determine what the next steps to take to ensure compliance are.
Data protection is going to be an increasingly important issue, so it is worth investing effort and some resources into such matters, especially with the threat of increased penalties for non-compliance.
If you would like to talk through a situation you are dealing with, or if you need advice on any aspect of employment law, please contact any member of the Pure Employment Law team (01243 836840 or [email protected]).