An introduction to the changes to Data Protection Law / “The GDPR” for Employers:
Data protection law is set to change. The EU-wide General Data Protection Regulations (GDPR) will come into force on 25 May 2018 via the Data Protection Act 2018. But what do the changes mean for employers and what can you do to make sure your business is compliant?
Employment Related Data
Employers process the personal data of employees for numerous reasons. For instance, data can be processed for recruitment purposes (such as when applicants provide details on application forms), in order to perform the employment contract (such as using employees’ bank details for payroll), and also, to comply with health and safety at work or equality and diversity regulations.
However, in order for employers to process personal data in a way that is compliant with GDPR, at least one of the conditions for lawful processing must be met. One of these conditions is Consent, which has invariably been relied upon by employers looking to comply with the Data Protection Act 1998. But the extent to which employers can continue to rely on this ground is now uncertain. This is because the GDPR requires consent to be “freely given, specific, informed and unambiguous”. Due to the imbalance in the employment relationship, it is widely thought that consent will not, in fact, be taken to be “freely given” in this context. Therefore, employers should look at other conditions to satisfy the lawful processing test.
Another such ground for Lawful Processing is where it is necessary for the performance of the employment contract. This will be applicable in circumstances such as, but not limited to, paying employees and providing them with their benefits and complying with HMRC reporting obligations. Data can also be processed under the ground of Legitimate Interests in situations where the employee reasonably expects that data processing may take place for such a purpose.
Accountability is a key concept under GDPR and it is vital that employers demonstrate compliance with this but how can this be achieved? Data protection audits are one way of doing this and involve assessing existing and /or proposed data processing measures. Things to consider include: categories of personal information; the purpose of collection; and what happens once the data is collected. Data protection policies should be implemented to ensure both employer and employee are aware of their responsibilities.
Some employers will be legally required to have Data Protection Officers (DPO), including those in the public sector. However, even where you are not required to have a DPO, it is best practice to appoint an individual to be responsible for monitoring GDPR compliance and to deal with any data breaches , especially seeing as potential fines are set to increase from the current maximum of £500,000 to the greater of 20,000,000 euros or 4% of worldwide turnover.
In the event of a data breach, employers have a responsibility to notify the Information Commissioner’s Office in situations where there is a risk to the rights and freedoms of individuals. This needs to be determined on a case by case basis and relevant considerations will be the loss of control to the individual affected, as well as the risk of identity theft and damage to reputation. The individual affected by the data breach should also be notified in circumstances where the risk is deemed to be “high”. There are exceptions to this requirement, for example, where the data is unintelligible, such as encrypted data, or where the risk is unlikely to materialise, such as where an email sent to an unintended recipient has been successfully recalled before being opened.
So with the date for GDPR coming into force just around the corner, it is vital that employers begin to take steps in readiness for its inception. If you need any help with reviewing and updating your current arrangements or with updating documentation such as employee handbooks, polices and contracts, then we can offer assistance. Please get in touch with Louise Purcell to discuss ways in which we can assist you in readiness for the 25th May 2018.