The 25th of May 2018 might seem a long way off but if you’re anything like me, I can’t believe how long it’s been since Christmas. How time flies.
So, what have you been doing as an employer to get ready for the implementation of the General Data Protection Regulation (“GDPR”)? If your answer to this is nothing then read on and get ready to start acting.
All employers, big and small, need to start thinking about how they intend to comply with GDPR, what is required to implement any changes that are needed and how this will affect employees. To give a flavour of what needs to be considered, I have set out some initial points below to think about sooner rather than later.
Do you have consent to process your employees’ data?
Many employers get consent from their staff to hold their personal data by adding a clause to their contracts of employment. This has been fine so far but under GDPR this is unlikely to be sufficient and employers will need to give thought to the fact that employees may withdraw their consent as easily as they are required to give it.
The onus will be on employers to show that their employees give their consent and so contracts of employment must be checked and an appropriate way forward integrated into employment processes to ensure compliance.
What will you do if there is a data breach?
It will no longer be sufficient to have a vague idea of what you will do if there is a data breach that affects your business. You absolutely must, no excuses, have a proper plan in place and you must take all necessary steps to train your employees about what to do with that plan (and it might be a good idea to test it regularly, make sure it works and be comfortable that everybody knows what to do – don’t wait to use it for the first time in a crisis).
GDPR sets out mandatory reporting requirements and you will have a very limited time window (just 72 hours) to report any breaches. This is not a lot of time to gather together staff and information and make a decision about whether or not to report a breach.
Is your existing data protection policy adequate and up to date?
As the law currently stands, employers are required to give a “fair processing notice” to employees and job applicants setting out details about how they will be processing their personal data and what information is needed for that processing to be fair.
GDPR will significantly extend the obligations on employers in this area including requirements to inform people about:
- how long the personal data provided by the employee will be stored for;
- if the data held will be transferred to countries outside of the European Economic Area;
- the rights of the individual to make a subject access request; and
- giving details relating to the right of the individual to have their personal data deleted or, in certain circumstances, rectified.
This is an area of particular concern for many and one in which a lot of care must be taken by employers. They must be mindful that the information has to be provided by them in plain language (as you know, this is not always an easy task), in a clear format and must be transparent, concise and easily accessible to all.
Subject access requests must be dealt with swiftly, or else!
Dealing with subject access requests (“SARs”) can be tricky for employers now. Under current legislation, SARs are subject to a forty-day deadline to be dealt with by employers which is not a lot of time when you consider all of the other things employers have to do.
GDPR changes this time limit to an obligation to comply without delay and within one month. This time limit may be extended to two months if a request is particularly complex. SARs relating to employment are often those which are the most time consuming and difficult to deal with and as such, may give rise to the highest number of requests for an extension of time.
In respect of fees charged for SARs, the £10 currently chargeable will be scrapped and employers will be able to request a reasonable fee where an SAR is manifestly unfounded or excessive.
Ensuring that all relevant staff members are aware of the requirements here and that an appropriate and well documented policy is in place will greatly help with dealing with SARs quickly and with as little pain as possible.
My right to be forgotten (and more).
The rights of employees under GDPR will be extended in respect of:
- objecting to certain types of processing of personal data;
- correcting data records or restricting its use; and
- having data deleted (also known as “the right to be forgotten”).
In the same was as SARs, if a request is considered by an employer to be clearly excessive, they can refuse to comply or charge a fee. But caution needs to be exercised here.
These rights could end up front and centre in employee disputes as all parties become more familiar with their use. If privacy notices are considered to be inferior, or if proper consent for processing data has not been secured as set out above, then employees may make an argument that the processing was unlawful and that the data held abut them should be deleted.
Employee data will almost certainly be processed by third parties.
Payroll companies or cloud based service providers are just two examples of third parties who may process employee personal data in the course of their employment.
GDPR imposes stricter rules around the use of third party data processors and contractual arrangements with them will need to be reviewed and, where necessary, tightened up to ensure compliance with the new, stricter regime.
This in turn may well result in the third party processors being more careful about the companies they provide services to but time will tell on this. What is clear is that these contractual arrangements will almost certainly need to be tightened up to comply.
Do you need a data protection officer (“DPO”)?
Public authorities and private companies involved in regular monitoring or the large-scale processing of sensitive personal data will be required under GDPR to have a DPO. For many companies who are not legally require to have a DPO, it might be a good idea to appoint one anyway. The long list of benefits and opportunities which will come from having a DPO in place and addressing data protection in a positive way will benefit many businesses.
DPOs must be independent (it’s probably best for many to use a third-party provider than an employee in many cases to be able to demonstrate independence) and must have access to the highest level of management in the business.
Be prepared to be boarded.
You must be ready to be subject to an audit. Data by design means that you must be ready and able at all times to demonstrate your compliance.
It is imperative that employers have their policies and procedures clearly documented, in place and filed so that they can be easily found. Impact assessments must not be forgotten relating to employee matters any more than in respect of any other business areas. Non-compliance is not an option.
Even under current legislation, complying with access requests for employee related data can be troublesome. By its very nature, employee-related data can be spread throughout various areas of a business which can be hard to find and pin down. This won’t be acceptable under GDPR and employers will need to establish sound, robust business wide processes to ensure that they know where all related data can be found.
It is clear that many employers face a lot of work to make sure they are compliant with the new world of data protection. This affects businesses of all sizes and there will be nowhere to hide for those who don’t take their obligations seriously from the outset.
By Daniel Gardener
Subject to our terms and conditions and copyright policy.