Employers must comply with new European legislation on protecting employee data. This is in the form of the General Data Protection Regulation (GDPR). The rules are complex and intend to introduce a big cultural change in how data is handled. Given this, there is a fairly tight timescale for employers to take steps now to avoid potential claims and hefty fines.
We have explained the essential points for you to take into account:
What is the GDPR?
The GDPR will replace the current legislation governing personal data, the Data Protection Act 1998, which is considered to have been weak and is very out of date.
This is the most important change in data protection law for the past 20 years. It is not difficult to see there is a need for an update in the law given the changes in which personal data is used and handled with technological advances, use of the internet, emails and social media. For example, in 1998 Google had not yet launched its search engine in the UK, that is how old the Data Protection Act is!
What is personal data?
The “personal data” of your staff is any data by which they may be identified, such as emails, documents or HR records including by way of their name or email address. As an employer you are highly likely to be storing and processing personal data of your staff. The overall aim of the GDPR is to give greater transparency and accountability to how personal data is handled.
In addition most employers will be processing “sensitive personal data” about their employees, including information on their health, any disabilities, race, religion and sexual orientation. This sensitive personal data is already subject to higher protections and these will continue under the GDPR.
When does the GDPR come into force?
While the GDPR doesn’t take effect until May 2018, the new rules it brings are complex. So, in reality there is a tight timescale for employers to take steps now to avoid potential claims and hefty fines.
Brexit?
The GDPR is European legislation applying across the EU and is due to come into force before the proposed Brexit takes effect. The government has recently confirmed that the UK will implement the GDPR in full in UK law, which was viewed by legal advisors as essential if we want to trade at all with Europe. The GDPR is also important for UK businesses transferring data in and out of other EU states.
Fines!
The new obligations on employers will be much more onerous with a huge increase in fines from £500,000 currently to a maximum of €20 million for the largest employers or 4% of worldwide turnover, whichever is higher. Fines for smaller and medium sized employers are likely to be eye-watering too since there is a clear intention to dramatically increase the level of fines. Given this, compliance with the GDPR is not an option (it is a must) and should be given consideration at the highest level in your organization.
Do you have consent to process data?
At the moment many employers will only have a standard, short clause in their contract of employment that gives the employee’s “consent” to store and process their personal data. This has been increasingly criticised on the basis that the employer and employee can be an unequal relationship and it is difficult to say in these circumstances consent has truly been given freely.
Under the GDPR consent must be informed, freely given, specific and unambiguous. So the current, standard clause, usually buried at the end of a contract an employee is obliged to sign may not be good enough under the new regime and you should consider using a privacy notice as advised by the Information Commissioners Office. You will need to assess the legal grounds on which you process both personal data and sensitive personal data. Where you rely on employee consent you must ensure you meet the requirements of the GDPR and document this.
Staff rights on information
The GDPR significantly enhance the rights of employees as “data subjects” i.e. the owners of their own data. Staff must be given more detailed information on how and why their personal data will be processed. They must also be informed of their right to make a subject access request, to rectify or to delete their personal data. There is a new right “to be forgotten” whereby employees can require you to remove personal data about them in certain circumstances.
Data subject access requests
Data subject access request rights have been increased and are now called subject access requests. The timescale that you have to do this is shorter. The period of 40 days is reduced so employers must comply without undue delay and within one month with a potential extension of up to two more months.
There will no longer be a general requirement for the person requesting their data to pay you a fee of £10. But importantly if a data subject access request is, “manifestly unfounded or excessive”, you will be able to charge a “reasonable” fee for administrative costs or refuse to comply.
New obligations on employers
You will have new obligations and must be able to demonstrate compliance. This includes carrying out privacy impact assessments where applicable, consultation with data protection authorities before starting new data processing activities and keeping detailed records of all processing activities.
Notifying breaches
If you experience a data breach (for example, personal data of an employee is sent to the wrong person) you must notify the data protection regulator within 72 hours of that breach occurring. Staff affected by a breach must be told without delay if a likely consequence is high risk to their privacy rights. This could present real issues if your business does not have strong systems and process in place to enable staff to report potential breach to a senior manager as soon as they occur. All businesses should have a Data Protection Breach Response Plan in place as soon as possible.
Ensure suppliers processing data are compliant
At the moment your suppliers that process data, perhaps a payroll bureau, have very limited liability for data compliance. This will change under the GDPR. There will be an onus on employers to ensure they work with compliant suppliers as now both the supplier and the employer can be held responsible for failing to protect data.
Top tips on actions to take now:
At this stage, you should do the following as a minimum:
- Assess your current HR related processing activities and spot the gaps. Update your existing HR procedures and implement new ones where needed, after taking legal advice.
- Ensure you have relevant personnel and/or advisers who understand the legal basis for processing data under the GDPR.
- Make sure that staff are trained in the new rules over the upcoming year.
- Review your key employment documents, including contracts and handbooks, to update them on the processing of personal data.
- Review your supplier contracts to ensure they have data protection provisions and update them to cover the new requirements of the GDPR.
- Identify what other practical steps should be taken over the next 18 months to make sure you are ready for GDPR.
Our employment solicitors work in partnership with organisations to improve their HR practices and advise on employment issues. To discuss this article or any other HR issue call 01392 210700 or employment@stephens-scown.co.uk.
Our clients also benefit from our specialist data protection solicitors. Find out more about about our data protection and cyber security team