GDPR AND IMMIGRATION PROCESSES

Most employers will be aware of the upcoming introduction of the General Data Protection Regulation, or GDPR. But how can they be sure the way they collect and store information for immigration purposes will be compliant? Amelore look at the key risk areas.

GDPR

The introduction of the General Data Protection Regulation (GDPR) presents a huge challenge for employers in many data processing scenarios.

Not surprisingly, immigration processes necessitate the collection and processing of considerable personal data by an employer and, in many situations, one or more third parties such as legal advisers.

And with the deadline (25 May 2018) fast approaching, there is a chance that certain types of personal data processing will not be captured in your thinking, and will therefore create a risk of a breach.

For many employers, immigration is a niche activity that changes constantly and is therefore difficult to fully understand and account for with internal policies and processes.

However, given the sensitive nature of data collected and processed, and the multiple parties often involved in this, now is the time to look at key immigration activities and ensure that they are GDPR compliant.

Here are a few scenarios that illustrate the wide range of immigration data points to be accounted for in preparing for GDPR.

Right to work checks

Employers must conduct right to work checks on any new employee, ideally before they start working for you so you only employ people with the ‘right to work in the UK’.  Employers should take copies of any original documentation they see and copy, sign and date the document copy which should then be securely stored.

While it is easy to assume that this is covered by a “legal obligation” that is not actually the case.

A right to work check is done to establish a statutory excuse against a civil penalty – that is, to avoid a fine should an employee be found to be working illegally. It is not strictly speaking a legal requirement to perform a right to work check and there are no penalties for failing to perform a right to work check where the employee is working legally. However, employers that do not carry out right to work checks will not have a statutory excuse.

Therefore, the retention and processing of data relating to immigration status would be categorised under “legitimate interests” and this processing should be covered in a privacy notice.

Resident labour market test

The resident labour market test (RLMT) is conducted as part of a Tier 2 General (new hire work permit) application to justify the recruitment of a non-UK/EU individual, ahead of a UK/EU individual.

The employer generally needs to place two adverts on two websites for 28 days each, and then assess applications against the skills, education and experience described in the advert.

If there are no suitably qualified candidates from the UK/EU, then a non-UK/EU individual can be offered the role and be sponsored under Tier 2 General.

Documentation, including job applications, CVs and interview notes need to be retained for up to seven years in the event that the Home Office conducts a compliance audit.

Now imagine you were one of the candidates who applied for that role. You were interviewed for the job but ultimately were unsuccessful. It would be reasonable to expect that your details would be retained for a reasonable period, for example six months, to allow the employer to defend any challenges arising from the appointment.

However, most candidates would be surprised to learn that their personal information would be stored for up to seven years and shared with legal advisers and the Home Office as part of the immigration process for the successful candidate.

While employers may be able to argue that retaining the information is a legal obligation, the Home Office document that describes document retention is not technically part of the immigration rules. Rather, it is a policy document and therefore it may be open to interpretation whether it is a legal obligation or not.

As such, employers may instead have to rely upon “legitimate interests” as the appropriate legal basis to retain such information. This of course requires a proper assessment to ensure those interests are not outweighed by risk of prejudice to individuals.

What steps do employers need to take to ensure that their RLMT processes are GDPR-compliant?

  1. Ensure your privacy notice for recruitment purposes makes clear the possibility of personal data being processed and retained for the purpose of immigration requirements, specifically the RLMT for Tier 2 General, including the sharing of that data with legal advisers and the Home Office, and the length of time data may be stored.
  2. Minimise personal data where possible. The personal data that must be retained on file, as per the relevant Home Office policy document, relates only to applications shortlisted for final interview – rather than all candidates who responded to the advert. Likewise, do not ask for personal data that is not strictly required at this stage of the process, for example, copies of passports, immigration documents and evidence of qualifications and experience.
  3. Redact and anonymise personal data. A further way to minimise the personal data you hold is to redact information that is not relevant to the information you need to retain, such as contact details, interests and hobbies.

Immigration enquiries and opinions

Throughout the course of employment an employee can expect that their employer may need to consult with legal advisers and other professional advisors on a range of matters, including immigration, and in doing so may need to share personal data.

This should of course be covered in the section within the privacy notice dealing with disclosures to third parties.

However, what if as part of these enquiries it is necessary to transfer data outside the European Economic Area (EEA)? For example, where the organisation is looking to transfer an employee to the US and would like a US-based immigration lawyer to assess eligibility.

Transfers of personal data outside the EEA need to be addressed within privacy notices. Also, any such transfers of personal data should only take place where steps are taken to ensure adequate protection for that personal data in the recipient country (this is also the existing position under the Data Protection Act 1998).

With just over a month to go until GDPR goes live, now is the time to understand the data points in your immigration processes and ensure they are GDPR compliant.

GDPR countdown – are you ready?

The new  General Data Protection Regulations (GDPR) come into place in May 2018, you need to start preparing now as time is fast running out.

Changes to the governance of data will have far-reaching consequences for businesses, GDPR will determine how your business does business, and particularly how it manages, protects and administers data in the future.

Europe has a plethora of different data protection regimes in each EU country. Organisations have to deal with many different sets of rules depending on where they setup their business and sell their products or services. The GDPR will harmonise data protection laws across the EU and will also apply to organisations across the world. Any company that processes personal data about EU citizens whether they reside in the EU or elsewhere in the world will need to abide by the GDPR.

European companies are still wrestling with how they are going to be compliant with the law in less than a year. Companies from other parts of the world may not have even heard of the GDPR, and therefore might not be aware of the possible impact upon them. As citizens from EU countries do business and exchange data with companies across the globe, the GDPR is something that international companies outside the EU need to be aware of and should be planning for. Failing to do this could seriously hinder their ability to market and sell their products and services in the EU.

Who needs to be GDPR compliant?

It is imperative that organisations that offer goods and services to EU citizens, and that subsequently process their personal data, are compliant with the GDPR. 

A global study by Veritas showed that businesses are worried that they will not be compliant by the May 2018 deadline. Research showed that 56 per cent of respondents in Singapore, 37 per cent in the US and more than 60 per cent in Japan and South Korea, are worried they will be unable to meet the May 2018 deadline for compliance.

More than 90 per cent of organisations in Singapore showed concern by the potential business disruption from GDPR. Around 20 per cent fear that their company may go out of business as a result.

These are alarming figures for foreign companies that do business in the EU.

The GDPR represents a shift across the world towards a culture of safeguarding personal data, especially considering the global reach of the legislation.

What you should already be considering

As the clock is ticking companies should be working towards compliance in a structured manner including:

  • rolling out GDPR awareness programmes across the business;
  • ensuring representation and input from all key business functions;
  • data mapping all personal data flows in and out of the organisation;
  • creating an information asset register; and
  • undertaking a gap analysis against the GDPR compliance requirements, including consent notices, privacy impact assessments and contractual arrangements with 3rd parties with whom personal data is shared.

These will form part of the building blocks to determining how much further work is required for the business to be compliant by Spring 2018. Many businesses will require significant changes to policies, procedures and working practices. Smaller businesses which collect process and store limited personal data may be less affected but may still need to make some changes to comply with the new legislation.

Clearly organisations that started to work towards GDPR compliance early on are ahead of the game and have a better appreciation of the level of effort that’s required to make some of the changes required to comply.