In the context of an escalated General Election, Article 50 being triggered, Mrs May’s commitments to leave the single market, talk of new trade agreements with countries outside of Europe, and news that several banks will be moving staff to continental Europe, it might be easy to forget that no matter how Brexit negotiations play out, the General Data Protection Regulation (GDPR) will become law in this country, as well as across the rest of Europe, on 25 May 2018.
Even once we have Brexited there is much to suggest that our privacy laws will need to stay the same or similar to the GDPR, to enable businesses trading across continental Europe to continue doing so without the need for complicated and cumbersome alternative arrangements to be put in place. In addition, one might arguably consider the protection of employees’ information to be a worker’s right which the UK Government has indicated will be protected post-Brexit.
It is essential to act now as the GDPR will affect many parts of your business, from HR records to customer list and contact details, all of which will be covered by the new rules.
The GDPR develops many of the concepts with which we are familiar under our current data protection law but also introduces new concepts. One significant change is the very considerable increase in potential penalties, which will jump from the current maximum of £500,000 to the greater of €10 million and 2% or €20 million and 4% of the annual total worldwide turnover of the undertaking, depending on the type of breach.
Are you allowed to hold and share data about your employees?
Currently an employer needs a lawful reason to be able to process data about its employees. Many employers rely on the assertion that the employees have consented to that processing, often via a clause in their contract of employment. This is despite the fact that the UK Information Commissioner and the EU Working Party have made it clear that they do not consider that consent can be genuinely freely given in an employment context where the alternatives to giving consent are not being offered the job or having any other penalty imposed. The GDPR expressly states that consent may not be used if there is a significant imbalance between the parties and expressly refers to the employment context as such an example. Therefore, although the concept of consent under the GDPR remains similar to the current requirements in that consent must be freely given, specific, informed and the positive indication of the wishes of the employee, it is highly unlikely that genuine consent (for data protection purposes) can be given under the GDPR in an employment context.
Even if consent can genuinely be given in the first place, employees will need to be told that they have the right to withdraw their consent and the way of doing that will have to be as easy as giving it in the first place, so a simple note to their manager or HR will suffice. Employers will then be left with a fundamental problem: as soon as an employee withdraws their consent, the employer will be unlawfully processing their data unless there is another lawful ground to rely upon. The advice therefore is not to rely on consent but rather to consider it a potential, if unreliable, backup to other lawful grounds for processing.
Employers are allowed to process data in order to comply with their legal obligations or to observe the terms of an employment contract. These grounds are helpful in respect of some employee information, particularly relating to payroll, but they clearly do not cover many documents that one typically finds in the personnel files, such as appraisals. It is predicted that the most widely used lawful ground for processing will become what is known as the legitimate interests ground. However, there are limitations on this ground as it only allows processing of data which is necessary for the purposes of the employer’s legitimate interests and only where those interests should not be overwritten by the rights and freedoms of the employee; in other words, a balancing exercise has to be conducted between the interests of the employer and the interests of the employee.
Several principles are tightened up under the GDPR:
- Accuracy. Data must be kept up to date, and inaccurate data will need to be corrected or erased without delay.
- Data minimisation. In other words, employers will only be able to hold data which is necessary for the purpose that is being processed. This means that retention periods should be set to a minimum.
- Purpose limitation. The reason why the data is being processed must be specific, explicit and of course a legitimate purpose in the first place.
- Transparency. There will be greater need for employers to explain their actions and decision making.
- Clarity. Employers must make sure that the information they provide to employees is both concise and written in plain, easily understood language.
There are undoubtedly tensions between some of these principles and other business interests. For example, the obligations to keep data up to date and only process data which is necessary would suggest that once an employee leaves the organisation, much, if not all, of the data held about them should be deleted. However, your business must also be mindful of its other legal duties such as keeping records for tax and immigration purposes. Further, the business will undoubtedly want to keep information about former employees, at least in the short term, to help in the defence of any employment claims which the former employee may bring. Redundancy selection information about successful candidates may well need to be retained to defend claims brought by those who were, in fact, made redundant. In other words, the reasoning will not always relate to the individual who is the subject of the data. The upshot is that each type of information should be considered and your business should set a destruction period for each type based on objective reasoning.
In the employment context, we tend to think of simply subject access requests, i.e. the employee’s right to request details of the information which their employer holds about them. However, under the GDPR, employees will have new rights: the right to have some of their information transferred to, for example, a future employer; the right of erasure (dubbed the “right to be forgotten” by the press); the right of restriction (which in effect puts information in limbo and prevents further processing while a dispute between the employer and the employee is resolved); and the right to object to the processing of their data and to object to profiling (i.e. analysis or prediction of performance at work via automated methods).
Currently an employer can require an employee to pay a £10 fee when submitting a subject access request. That option will no longer be available under the Regulation. Subject access requests have long been part of the litigator’s arsenal as a means of obtaining documents at an earlier stage than disclosure. Particularly in the context of large-scale claims such as equal pay, subject access requests may become all the more disruptive for employers. One can easily imagine a trade union submitting subject access requests on behalf of all its members involved in an equal pay claim where there is no fee to pay. The further bad news is that employers will no longer be able to provide a summary of the data held but will have to provide copies, and the normal time frame for responding will be one month, shortened from the current 40 days. Many may consider that the final nail in the coffin of subject access headaches is that employers are encouraged to provide the information electronically and this is the default position if the request is made electronically (e.g. by email, as is quite likely).
Data protection officers (DPOs)
Depending on the nature of the core activities business, some employers will need to appoint data protection officers, who will benefit from further rights and in respect of whom employers will have new obligations.
A data breach is a breach of security which results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to personal data. Fundamentally, there is no concept of severity, so simply sending an email with all the recipients’ email addresses in the “To” field rather than the “Bcc” field so everyone can see each other’s email addresses is a data breach. There are common examples of employees losing their laptops or their phones which, unless they are sufficiently encrypted to render the data inaccessible or unintelligible to anyone who finds the devices, are likely to be data breaches. There will also be a duty to report most data breaches to the Information Commissioner within a newly established time period of 72 hours of becoming aware of the breach and a new duty to report some breaches to the employees themselves.
Click here for an 11-point action plan for HR teams.
Our dedicated employment team can guide you through the GDPR preparation process as well as advise on any other contentious or non-contentious employment law matter. For a free initial conversation contact Rachel Tozer, Sonia Bhola or your usual Keystone Law contact on 02033193700
This article is for general information purposes only and does not constitute legal or professional advice. It should not be used as a substitute for legal advice relating to your particular circumstances. Please note that the law may have changed since the date of this article.