GDPR (what you need to know) part 3

This article forms part of our GDPR series in which Amelore employment experts offer practical advice, ahead of the coming-into-force of the GPDR in May 2018.

The General Data Protection Regulation (the Regulation) represents the most significant shift in European data protection legislation since the Data Protection Directive (enacted in the UK through the Data Protection Act) of the late 1990’s. The Regulation presents a very significant challenge to all data-driven units of modern business, not least human resources (HR).

In this article, we explore the legal and practical challenges the Regulation’s requirements pose to HR.

Scope

The GDPR expands the scope of European data protection legislation in both subject matter and territorial application. For the first time data processors (parties who process personal information on behalf of a data controller) will find themselves required to meet direct regulatory obligations. In addition, the Regulation’s intended jurisdiction is no longer restricted to EU-based organisations. The Regulation brings in scope any organisation selling to or monitoring the behaviour of EU citizens. Like much European law, the extent to which the Regulation will see successful enforcement outside of the EU is a developing area.

From a HR perspective, these provisions raise significant considerations for global employers, and providers of virtual HR and HRIS products. For a multinational employer, detailed understanding of global data flows will become an increasingly key. This is especially critical where a centralised storage and database solution manages global (both EU and non-EU group company) HR data. Non-EU group companies, using a shared resource, may find themselves directly affected by the GDPR.

For outsourced HR and recruitment, and HR software providers, the Regulation is set to present a new legal burden. At present, suppliers have, as data processors, enjoyed liability limited only to contractual arrangements with data controllers. Under the Regulation such processors will be required to comply directly with GDPR and by extension, face direct liability (and the same fine thresholds as data controllers under certain circumstances).

Fines

Regulatory fines under the GDPR are set to increase well beyond the ICO’s current enforcement ceiling of £500,000, representing a fundamental shift in risk profile for UK organisations.

That said, the Regulation grants Data Protection Authorities significant discretion as to whether and the extent to which fines will be imposed on an organisation, in the event of a breach.

In addition, the fine parameters are set against a two tier system to account for the comparative seriousness of different breaches.

From a HR perspective, it is critical for organisations to consider whether existing policies and procedures lack GDPR compliance, especially where time limits may be a factor, e.g. in relation to breach notification (see below).

Privacy Notices

The Regulation mandates a host of required information, which a data controller must provide to an individual data subject at the point at which personal data is collected. Non-exhaustively, these include details of:

  • the legal basis upon which personal data will be processed;
  • how long personal data will be retained;
  • if, and the extent to which, personal data will be transferred overseas, and, in the event that personal data will be transferred outside of the EEA, the appropriate safeguards in place to protect that data; and
  • the mechanism by which an individual would make use of their data subject rights, including:
    • how to make a subject access request; and
    • how to request the deletion or rectification of personal data.

These mandatory requirements present employer challenges both in relation to the employee/employer relationship and in the context of job applicant data.

Employers must consider whether existing employee and applicant notices meet GDPR requirements and consider how clarity and accessibility of notices can be ensured.

Employee Rights

The Regulation significantly enhances the rights of data subjects, which will in turn present greater compliance obligations for employers.

Areas which face significant change include:

  • the information to be provided to data subjects, in response to a subject access request – we will address this is in detail later in the series.
  • the Regulation mandates a more detailed set of information be provided to a data subject, particularly in relation to the purpose and means by which personal data is processed.
  • data rectification rights(in circumstances in which data held about a data subject is inaccurate or incomplete) – in some respects rectification rights remain unchanged under the Regulation. However, data controllers will now face a mandatory obligation to notify other third parties in the event that data is amended in response to a data subject request. Employers should be prepared to notify any third parties to which employee data has been transferred and consider how they might implement procedures to action this obligation in practice; and
  • the right to be forgotten– this new right presents a potentially significant practical challenge for employers, particularly where employee personal data is backed-up in somewhat inaccessible or complex systems. Much like rectification rights, a data subject’s right to have their personal data deleted on request should prompt all employers to consider how this would be practically achieved.

Breach Notification

The Regulation introduces dramatically enhanced requirements in relation to breach notification.

In summary a data controller:

  • must notify the relevant DPA within 72 hours of becoming aware of a breach, unless it can provide justification for a delay; and
  • is required to notify data subjects affected by a breach directly, without undue delay, if the breach is likely to present a high risk to the individual’s rights and freedoms.
  • This is tempered by exceptions, such as where the personal data is encrypted. Under these limited circumstances, controllers may be spared the obligation to notify data subject directly.

For HR, this presents a two-fold challenge. Should a breach originate within HR itself, effective co-ordination between HR and an organisation’s legal and/or compliance teams is likely to prove critical (especially when considering the tight timeframe for response). In addition, should the breach affect employee data and require data subject notification, HR is likely to play a key management role. Ensuring compliance will likely require a complete review of internal policies and procedures, with a particular focus on efficient internal communications. Data processors are also required to report breaches to data controllers.

Employee Consent

A change HR is likely to feel very directly is in relation to the use of consent as grounds for processing employee personal data. Non–specific consents to processing are unlikely to be considered valid under the GDPR.

Practical steps to compliance

The following are likely to prove critical risk management steps:

  • comprehensive gap analysis and business wide data protection audits;
  • a full review of internal and external policies, procedures, templates and information notices;
  • consideration of consent alternatives; and
  • consideration of (potentially mandatory) data protection officer appointment, and instruction of external legal/ compliance support.

Our next article will look at how to conduct a gap analysis and a wider data protection audit.

Looking forwards

The GDPR clearly represents a significant compliance hurdle. Employer’s must therefore maintain an awareness of developments at a national level, especially in relation to equality, recruitment and health and safety provisions.

Employers should however take some comfort that some element of harmonisation between EU data protection law and the UK’s eventual domestic position will be desirable. Compliance with the GDPR’s requirements, will likely be the most efficient way for organisations to futureproof.

Disclaimer

This document is for informational purposes only and does not constitute specific advice. It is recommended that specific professional advice is sought in relation to your situation and organisation before acting on any of the information given.

GDPR – Employee record keeping and beyond

In a series of blogs, Amelore begin to look at GDPR from a HR perspective to ensure employers are ready for the new requirements in respect of their employee data and beyond. This will form part of a continuous focus on this hot topic until May 2018 when GDPR goes live. We appreciate many companies may not yet of begun their GDPR journeys, so we will be offering advice and guidance in short blogs.  We will also help to signpost employers to useful information which extends beyond the processing of employee data.

GDPR is itself an extension of existing UK data protection laws. This new legislation builds on the Data Protection Act (DPA) which employers already need to adhere to. DPA principles cover areas such as ensuring employers keep accurate, secure information.

The ICO (Information Commission’s Office) are at the forefront of helping organisations understand this evolution of our data protection laws. They recently published GDPR Myths. This series of blogs helps to demystify the new regulations.

Data breach – what an employer needs to do?

In ICO’s latest blog they provide valuable advice and guidance on how employers need to respond if a data breach occurs. They report that some employers have expressed concern that any data breach needs to be reported and that huge fines will ensue. The ICO say this is not the case and that only breaches that are likely to risk people’s rights and freedoms will need to be reported.

The ICO also point out that fines will be proportionate and that companies who are open, honest and report without undue delay can avoid fines. It is expected that by now, larger organisations will already have appointed a Data Protection Officer (DPO). However, smaller organisations are also advised to consider who in their organisation is responsible for data. We would advise all organisations, no matter how small, to know who is responsible for data (again not just employee data) and who is responsible for reporting a breach should it occur. This starts to form a robust approach to data governance.

Employee data processing

Employee data processing will be a key focus for many organisations, however some employers may be worried about any potential changes to how they currently store their data.

All organisations will be storing employee records in some way, shape or form; so you are now advised to review these filing systems, including the security of the data you are processing in respect of employing people, to ensure robustness. We have already observed some organisations writing to their third-party data processers asking for evidence of their compliance.

Handlers of this data need to make sure they are processing data fairly and for legitimate purposes. Furthermore, if they are transferring it outside of the EEA there are specific safeguards in place.

For those employers wondering if the UK’s exit from the EU will affect GDPR the government has already confirmed it will not. However, please note that International companies operating across EU states will need to work out who their lead data protection supervisory board is.

Further still, forming a data protection working party or project team to audit what data is being processed is also advisable. Many companies are already helping organisations with data mapping and auditing. Amelore work closely with Mazars to provide a range of services for our clients.

In summary, the good news is that common sense does prevail and that the processing of data where it is necessary for the performance of a contract will be a valid reason for processing. If you have any queries or questions in relation to any of the points made please contact Amelore for further advice and guidance.

We will continue to focus on this topic as we approach next year tackling other aspects of the GDPR (link to first blog) in further detail; such as consent, the right to be forgotten, and subject access requests.