What employers need to know about GDPR
As you will know, the UK’s data protection laws are set to change dramatically with the introduction of the EU’s General Data Protection Regulation or GDPR as they are referred to. Iain takes a closer look at what the changes will mean for all employers as of May 2018.
The new regulations will involve significant changes to the way in which organisations process data and new restrictions will mean that there will be much greater penalties for failing to meet the regulations. The introduction of GDPR will have a serious impact on employers in terms of how personal data is processed and stored, not just for employees but also for contractors and job applicants.
But please don’t let Brexit make you think that GDPR won’t apply to the UK, because we will still be in the EU when the new legislation is introduced and it is very likely that the UK Government will adopt the same or similar legislation when we do eventually leave the EU.
Breaching the law could mean a company facing significant fines of up to €20 million! or 4% of their annual turnover, whichever is higher!
The major HR changes that GDPR will have for employers are:
Data protection by design Employers need to ensure that only personal data necessary for each specific purpose is processed.
• This means that only the minimum amount of personal data is collected and processed for a specific purpose. • The extent of processing is limited to that which is necessary for each purpose. • Personal data is stored for no longer than necessary. • Access to data is restricted to that which is necessary for each purpose.
Processing by consent Many employers process employee personal data based on consent, under GDPR consent must be “freely given, informed, specific and explicit”. Where an employer obtains consent in a written declaration that also concerns other matters, the request for consent must be presented in a way that is clearly distinguishable from the other issues. This means that broad consents in employment contracts to process employee data will not be valid.
Legal basis for processing There will be a greater focus on the legal basis for processing personal data under the GDPR. Employers will need to demonstrate that processing is necessary for:
• Compliance with a legal obligation. • The performance of a contract. • The purposes of the legitimate interests of the employer or a third party.
If an employee objects to processing based on legitimate reasons, the employer cannot process the data unless it shows that it has legitimate interests for doing so which override the interests or rights of the employee. The right to object could cause significant delay to disciplinary or grievance procedures, redundancies, terminations of employment or business sales.
Information for employees and job applicants Under the GDPR, employers will be required to provide more detailed information to employees and job applicants about the processing of their personal data, the information that employers must provide includes:
• The identity and contact details of the employer as a data controller. • The data protection officer’s contact details (if there is one) • The purposes for which the data will be processed and the legal bases for processing. • The categories of personal data to be processed. • The recipients of the data. • Any transfer of the data outside the European Economic Area. • The period of storage. • The rights of data subjects, including the right to access, rectify and require erasure of data, the ability to withdraw consent or to object to processing and the right to lodge a complaint. • The consequences for the data subject of failing to provide data necessary to enter into a contract. • The existence of any automated decision-making and profiling and the consequences for the data subject. • Employers must provide the information at the point of data collection. • Where an employer wishes to process existing data for a new purpose, it must inform employees or job applicants of that further processing.
Data access requests Under the GDPR, employers must provide the requested information within one month of the request and free of charge unless the request is unfounded or excessive. The GDPR places much more rigorous obligations on employers to ensure that there are systems in place to ensure that they comply with access rights, particular emphasis being placed on the clarity, transparency and accessibility of such systems.
Principle of accountability One of the biggest changes under the GDPR is the new levels of accountability, the GDPR requires employers to demonstrate full compliance with the data protection principles. These enhanced obligations for employers include a requirement to keep extensive internal records of data processing operations, which must be produced for the supervisory authority to inspect on request.
Employers should create a data register to meet their record keeping requirements, this should provide an up-to-date written record containing information about all personal data processed by the organisation.
Automated processing Employees have a right under the GDPR not to be subject to a decision made solely by automated processing where that decision significantly affects them. This includes decisions based on profiling by any form of automated processing to evaluate, analyse or predict indicators such as their performance at work, health, personal preferences, reliability and behaviour. The GDPR requirements mean that employers should incorporate human intervention into automated processes that could significantly affect employees.
Conclusion GDPR becomes law on 25th May 2018 and organisations will have to be 100% compliant from day one. These new greater levels of accountability will mean that all businesses are going to undergo a major cultural and organisational shift and they will have to take a more proactive, methodical and measurable approach toward compliance.
GDPR, as you will see is a complex area and the changes are indeed significant, for more information on how to both prepare and comply for the new legislation, please don’t hesitate to get in touch with me.