The GDPR comes into force on 25 May 2018. It brings with it a number of changes to the data privacy laws across Europe and places a significant burden on companies to demonstrate that they are complying with the new regime. This guide reviews the changes implemented by the new rules and will help you make sure your HR department is prepared for the GDPR post 25 May 2018.
- GDPR and HR
The difficulty with the GDPR is that there is a lot of information out there and it is difficult to distill what it means for the employer/employee relationship as opposed to the wider application of the GDPR concerning how a company processes the data of its clients or the public.
The fact is however that the position in relation to employees is comparatively straight forward. When dealing with employees, an organisation will be most usually processing the following type of data: home address, date of birth, salary and payroll details, and other employment records; health records and possibly photographs and other biometric data.
- Main Principles of the GDPR
Under the Data Protection Act (DPA) there are (soon to be ‘were’), 8 Data Protection Act Principles’. The GDPR rationalises those to ‘6 Principles’ which can be summarised as follows:
- The processing must be lawful, fair and transparent processing. It is this new requirement to be ‘transparent’ which has introduced the concept of the Data Privacy Statement which is referred to below;
- The data must only be collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with that. This is sometimes called the “The Purpose Limitation Principle”: This is not new, but is a term which seems to be used more often in the context of the GDPR. In short, it means that personal data collected for one purpose should not be used for a new, incompatible purpose. There are exceptions but those are likely to have limited relevance in the employment context;
- The data collected must be adequate, relevant and limited to what is necessary. This is sometimes referred to as the “Data Minimisation” principle: The emphasis of this principle has changed under the GDPR. The ‘old’ DPA says that the processing should not be ‘excessive’ but the GDPR says that the processing must be “limited to what is necessary” in relation to the purpose for which it is being processed;
- The data must be accurate and kept up to date;
- The data must not be kept for longer than necessary. This should be read in the context of the new ‘right to be forgotten’ which is referred to below;
- The data must be processed in a manner which ensures appropriate security of data.
These are the overarching principles that employers should keep in mind when processing an employee’s data.
- Lawful processing under the GDPR
Principle 1 refers to “lawful processing” and is now defined by Article 6 of the GDPR which says lawful processing includes:
(a) where you have consent for a specific purpose;
(b) where it is necessary for the performance of a contract to which the data subject is party to (which will include the contract and relationship of employment) or where it is necessary in order to take steps at the request of the data subject prior to entering into a contract (which will cover the employment recruitment process);
(c) where it is necessary for compliance with a legal obligation (e.g.: health and safety matters, passing information on earnings to HMRC, compliance with an attachment of earnings order);
(d) where it is necessary to protect the vital interests of the data subject;
(e) where it is necessary for the performance of a task carried out in the public interest or official authority of the Data Controller;
(f) where it is necessary for the purposes of the legitimate interests of the Data Controller subject to the fundamental freedoms of the data subject (the employee). This means it is a balancing act between (the employer) the legitimate interests of the Data Controller and the rights of the data subject like the right to a reasonable expectation of privacy. This lawful ground is most likely to cover the use of photographs of employees on websites and marketing material etc.
Traditionally, to ensure that data was being processed ‘lawfully’ an employer would include in the employment contract a standard ‘consent’ clause such that everything was then processed under that consent. Under the GDPR, an employee can withdraw their consent at any time and therefore it is not advisable to process employee data on the basis of consent but rather on the basis of (b), (c) or (f) above.
- Consent (Art 7)
There may be some circumstances where an employer does wish to process and employees data for reasons which do not fall into (a) to (f) above and in those circumstances, it will need to obtain consent of the employee.
While consent remains a lawful ground under the GDPR it will be significantly harder to obtain as it must be freely given (if there is an imbalance between the parties like there is in an employer/employee relationship, extra efforts must be made to displace the presumption of imbalance), not be a blanket consent, if given by a written declaration it must not be buried in a more general document like the employment contract and an individual must be able to withdraw their consent as easily as it is given.
The Information Commissioner’s Office (ICO) guidance on consent warns that if consent was given and then withdrawn but the processing of the data continued anyway purportedly under some other ‘lawful’ ground set out at (a) to (f) above, then seeking consent from the individual in the first place is misleading and inherently unfair as it would give an employee a false impression as to how and under what conditions their data is processed.
- Changes to processing Sensitive Personal Data under the GDPR (Art 9)
The changes introduced by the GDPR in relation to the processing of sensitive personal data, are positive for most organisations, because they provide additional grounds on which Sensitive Personal Data may lawfully be processed.
These include but are not limited to:
- Explicit consent
- Necessary in the context of employment law or laws relating to social security and social protection
- Necessary to protect vital interests of data subject
- Processing carried out in the course of the legitimate activities of a charity or not for profit organisation
- Data manifestly made public by the data subject
- Necessary for the establishment exercise or defence of legal claims
- Necessary for reasons of public interest
- Information to be provided by employer to employee when data is collected - Data Privacy/Fair Processing Notices
Under GDPR, an employer must issue employees with a Data Privacy Notice (otherwise known as a Fair Processing Notice). All information in the notice must be in plain language. Where the data is to be obtained from the data subject (the applicant or the employee), the notices should include at the point of data collection:
- Details of the employer, name, contact details etc;
- Contact details of Data Protection Officer if relevant;
- The purposes of the processing and the legal basis for the processing (contractual obligation, statutory obligation);
- The recipient or categories of recipient of the personal data;
- Any intention to transfer the data to a third country or international organisation, and if so, on what basis and what safeguards are in place;
- The period for which the data will be stored or the criteria used to determine the period (e.g.: for the duration of your employment and for a period of X months/years thereafter);
- The fact that employees have a right of access, correction, restriction, erasure and objection as well as the right to data portability;
- If the processing is based on consent, the fact that they can withdraw their consent;
- Notification of the right to complain to a supervisory authority;
- Whether the provision of data is a statutory requirement, a contractual requirement, or if it’s necessary to enter into a contract, whether or not there is an obligation to provide the data and the possible consequences of not providing it;
- Whether the data will be subject to automated processing.
Where the data is to be provided by someone other than the data subject (for example, in obtaining a reference on someone or a report from their GP or looking at an internet/facebook/social media profile prior to recruitment), the same notification requirements apply (and will in most cases be processed by means of ‘consent’) but you must also tell them, from which source the personal data originates and if it came from a publicly accessible source.
- New Individual Rights
The right to withdraw consent;
This is why it is important to base processing decisions on one of the other ‘lawful’ grounds set out at (a) to (f) above, and not rely on consent.
The Right To Erasure (Article 17)(Right to be Forgotten)
Individuals are entitled to have personal data erased where:
- The data is no longer needed for its original purpose;
- The lawful basis for the processing is consent and that has been withdrawn and no other lawful ground exists;
- The data subject objects to their data being processes and the Data Controller has no other grounds for continuing processing;
- The data has been processed unlawfully;
- Erasure is necessary for compliance with EU law.
Employers are not required to erase employee data in some circumstances which (for the purposes of employment) the ICO guidance summarises as: where data is being processed to comply with a legal obligation or to exercise or defend legal claims.
There has been much concern expressed over these rights but the right to be ‘erased’ is where the retention of the data is not otherwise compliant with the requirements of the GDPR which means that in most cases, if the employer has a legitimate interest in processing (retaining) the personal data, it will not be significantly affected by the right to be forgotten.
The right to Rectification (Article 16)
The Controller must, if so requested, rectify without undue delay inaccurate personal data.
This right does not enable employees to demand the ’rectification’ of what they deem to be an unfair assessment of their performance. That is not what this legislation is for.
If a request for erasure or rectification is to be refused, then certain information has to be provided to the employee within one month which can be extended to 2 months where the request is complex (which is bound to be in an employment context). If the data is erased, if that data had been provided to a third party, that third party must be notified of the erasure.
- Monitoring employee communications: Privacy Impact Assessments
Under the GDPR employee monitoring is likely to be considered “high risk” processing in which case a detailed privacy impact assessment (PIA) must be undertaken and documented.
Under the GDPR employers will still be able to monitor employee activity but care will need to be taken when determining the lawful basis for the processing of the employee data in this way and how an employer communicates the monitoring to employees and how it then treats the data collected. Most employers will have an email and internet use policy and will give notice of monitoring of email and internet use for the purposes of identifying any breach of that policy; that should be reviewed to ensure proper notification is given to include this type of monitoring in the Data Privacy/Processing Notice and to specifically identify the reasons for this monitoring (most likely around (c) or (f) above).
- What should employers be doing?
The GDPR changes have significant implications for the structure and processes of businesses.
What should a business do?:
- Undertake audit of data processed by the business for employees throughout the business and schedule in table form, in each case identifying the ‘lawful’ reason for that processing.
- Remove ‘standard’ clauses in contracts of employment giving ‘consent’ for the processing of personal data. Instead cross refer to Data Protection Policy in the Staff Handbook and the Data Privacy/Processing Notice.
- Replace existing Data Protection Policy in staff handbook with GDPR compliant Data Protection Policy.
- Develop a retention policy, setting out how long, what employee data is retained for and why.
- Issue to all employees a Data Privacy/Data Processing Notice.
- Undertaken training with all employees on new GDPR regime, identifying the requirement for compliance and the specific risks to your business.
- Identify a Data Controller or for smaller organisations, a data champion, and train them accordingly.
We are able to provide template Data Privacy/Processing Notices for employers to issue to employees and a Data Protection Policy for inclusion in the Staff Handbook. We can also assist with training and the development of an employee data retention policy. If would like further information please contact Linky Trott – Head of Employment.
Edwin Coe LLP is a Limited Liability Partnership, registered in England & Wales (No.OC326366). The Firm is authorised and regulated by the Solicitors Regulation Authority. A list of members of the LLP is available for inspection at our registered office address: 2 Stone Buildings, Lincoln’s Inn, London, WC2A 3TH. “Partner” denotes a member of the LLP or an employee or consultant with the equivalent standing.