Data Protection: the GDPR from an Employer’s Perspective

The EU’s legislative bodies, national data protection authorities and EU member states have spent considerable time over the past few years preparing an updated and more harmonised data protection law, known as the General Data Protection Regulation (GDPR). The GDPR is a response to rapid technological developments and the exponential growth in the collection and sharing of personal data.

The GDPR will come into force on 25 May 2018, and therefore will be transposed into UK law prior to Brexit. In any case, HM Government and the Information Commissioner’s Office have made it clear that the GDPR (or a British equivalent) will apply post-Brexit, so Britain’s exit from the European Union will not prevent its implementation.

So what do employers need to know and what should they be doing now to prepare?

Whilst many of the principles in the new legislation are much the same as the existing core principles and concepts under the current Data Protection Act 1998 (DPA), (for example the principles of fairness, lawfulness and confidentiality remain at the heart of the GDPR and the core concepts of personal data, data controllers and data processors are broadly similar), the GDPR will have a much more significant impact on employers as it introduces new and varied concepts to strengthen the core principles. For example, there will be enhanced rights for data subjects, greater data controller transparency, more burdensome standards for consent and significantly increased sanctions for non-compliance.

This article seeks to highlight some of the key changes to look out for and what action your organisation can take to comply:

• Enhanced Rights for Data Subjects
• Consent
• Subject Access Request (SAR)
• What to do now…

---

Enhanced Rights for Data Subjects

The right to be informed

Transparency is a key part of GDPR compliance, and employers will have to be more open with their staff about their approach to managing and processing data.

At the time data is obtained, the employer must provide the employee with certain prescribed information, including:

• the identity and the contact details of the employer;
• the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
• the recipients or categories of recipients of the personal data, if any;
• where applicable, the fact that the controller intends to transfer personal data to a third country and the legal basis for the transfer;
• the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
• the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing;
• the right to object to processing as well as the right to data portability;
• the right to lodge a complaint with a supervisory authority;
• whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data; and
• whether the personal data will be subject to any automated processing and, if so, the logic involved, as well as the significance and the envisaged consequences of such processing for the employee.

To meet these strict requirements, you need to make detailed, GDPR-compliant privacy policies to staff and include privacy notices whenever you collect personal data.

The right to erasure

This is a right to be forgotten (erasure). Individuals can require data to be erased when there is a problem with the underlying legality of the processing (i.e. where the processing fails to satisfy the requirements of the GDPR), the employee objects to processing and there is no other compelling ground that overrides their interest, or where they withdraw their consent and the employer has no other ground for processing. Controllers must respond without undue delay and in any event within one month.

Under the DPA, the right to erasure is limited to processing that causes unwarranted and substantial damage or distress. Under the GDPR, this threshold is not present. That said, the situations where erasure can be demanded, are generally those where personal data would have to be deleted anyway.

Controllers who have made data public which is then subject to a right to erasure request, are required to notify others who are processing that data with details of the request. The obligation is to take reasonable steps and account must be taken of available technology and the cost of implementation.

Data Portability

Data portability goes beyond the scope of a subject access request allowing individuals to access data and requires the controller to provide information in a structured, commonly used and machine readable form so that it can be transferred by the data subject to another data controller without hindrance.

The data controller can be required to transmit the data directly to another controller where it is technically feasible to do so. Data portability is narrower than the right to subject access as it only applies to personal data processed by automated means (no paper records), personal data provided by the data subject to the data controller and where the basis for processing is consent, or to fulfil a contract or steps preparatory to a contract. This may be particularly relevant to employers when employees leave a company.

The right to object

There are rights for individuals to object to specific types of processing such as direct marketing, processing for research or statistical purposes and processing based on legitimate interests. The right to object to direct marketing is absolute so once an individual objects, the data must not be processed for direct marketing any further. In relation to the others, once the individual objects it is down to the controller to establish why it should be able to process personal data on that basis.

The right to object must be brought to the individual’s attention at the latest at the time of first communication and in the case of online services, the individual must be able to exercise this right by automated means.

The right to rectification

Individuals can require a controller to rectify inaccuracies in personal data held about them.

Consent

Consent is one of the conditions allowing the processing of personal data. The Data Protection Directive (Directive), to which the DPA gives effect in the UK, distinguishes between ordinary consent (for non-sensitive personal data) and explicit consent (for sensitive personal data, such as medical records) and states that consent must be specific, informed, freely given and unambiguous indication of agreement.

The GDPR retains this high standard of consent, and goes further by requiring consent to be “freely given, specific, informed and unambiguous”. This means that implied consents, opt-outs or silence are all invalid. In an employment relationship, the imbalance in power is likely to make consent invalid. Therefore the common practice of including data protection ‘consent’ in employment contracts is inappropriate. Employers must be able to demonstrate that the data subject gave their consent to the processing and they will bear the burden of proof that consent was validly obtained. It should be noted that consent obtained pre May 2018 will not be valid from that date unless it is GDPR compliant.

However, consent is not the only ground for processing personal data. In an employment situation, the employer can usually rely on the fact that the processing employee data is necessary for the performance of the employment contract (for example where employers process employee data for payroll, tax or reporting purposes or to provide statutory entitlements such as sick pay, annual leave or maternity pay), or that the employer has to use the data to comply with a legal obligation (for example where employers are required to monitor working hours) or that processing is necessary for the legitimate interests of the employer.

Withdrawal of consent

The GDPR states that consent can be withdrawn at any time and it must be as easy to withdraw consent as it is to give it. If consent is withdrawn and there are no other grounds for processing, you will have to delete the data.

Accountability

Under the current DPA there is a duty to comply with data protection principles whereas the GDPR goes a step further and requires an employer to demonstrate this compliance. As a bare minimum this will no doubt mean that an employer is required to have in place a data protection policy which demonstrates that the processing of personal data is compliant with the GDPR and also an employer should be able to evidence that it has implemented the policy through, for example, staff training, audits of data processing and so on.

Notification of breach

Whilst the ICO’s guidance recommends that serious data breaches are reported to it, regardless of the sector, under the DPA there is no obligation to report a data breach to the regulators unless it is a telecoms provider or internet service provider.

However, under the GDPR employers who are aware of a personal data breach must notify the regulator without undue delay and where feasible within 72 hours of becoming aware of it. This could have a huge impact on day to day activities as we all know how easy it is to lose/have stolen mobile phones and laptops. This also adds further consequences to that e-mail sent to the wrong recipient! The flipside to this requirement is that employers can use this obligation to their advantage to deter employees who leave to set up a rival business and, in advance of leaving, email personal data about clients to their personal email. Employers can warn employees that such conduct is strictly prohibited and is in breach of data protection law (it can even be a criminal offence), and also warn them that the employer can report the departing employee who has breached covenants / confidentiality in this way to the ICO, which could result in their prosecution.

There is no notification requirement if the breach is unlikely to result in a risk to employees but records will need to be kept to show that the breach was assessed and why the decision that no notification was required was taken. If notification is required, the employer must explain to the regulator what happened and set out the potential number of individuals affected, the likely consequences and the measures taken or proposed. If the breach is likely to pose a high risk to an employee’s rights and freedoms then they must also be notified.

Employers should therefore consider putting policies and processes in place to ensure that data breaches are responded to and that the GDPR timescales are met.

Subject Access Request (SAR)

The current law regarding SARs which most employers consider to be time consuming, costly and most commonly used as a precursor to litigation is unlikely to become easier to deal with under the GDPR. The process itself will remain the same but:

• The current fee of £10 will no longer be chargeable. Although, if a request is “manifestly unfounded or excessive, in particular because of its repetitive character” employers will be able to charge ”a reasonable fee” under the GDPR taking into account the administrative costs of providing the information. However, without guidance on what “manifestly unfounded” or “excessive” mean, employers will no doubt be reluctant to exercise this power, particularly in light of the potential ramifications for a failure to comply.

• The current statutory timeframe of 40 days to comply with a request will be replaced with an obligation on employers to comply “without undue delay” and at the latest within one month of the request. This makes compliance more onerous and employers will need to ensure that staff are adequately trained to deal with SARs within the new timeframe. However, if the request is particularly complex or there are numerous requests then the timescale can be extended by up to two further months. In order to benefit from the extension, an employer will need to notify the individual within the initial one month timeframe of the reasons for the delay. For complex issues this could give an employer the necessary time to deal with the request adequately but the extension should not be relied on as a matter of course.

Sanctions

Perhaps the most important change to note is that of increased sanctions for non-compliance. A breach of the GDPR will lead to much more severe penalties than the current DPA, including fines of up to 20,000,000 Euros or 4% of annual worldwide turnover, whichever is the greater. So businesses will no longer be in a position to regard non-compliance with EU data protection law as low risk.

What to do now…

1. Review your data protection policies and training methods to ensure these are consistent with the revised principles.
2. Ensure you are clear about the grounds for lawful processing relied on by your organisation and check these grounds will still be applicable under the GDPR.
3. Where relying on consent for lawful processing, ensure;
   • Consent is active and does not rely on silence, inactivity or pre ticked boxes;
   • Consent is distinguishable, clear and not bundled with other written agreements;
   • Data subjects are informed they have the right to withdraw (by same method as given: website, e-mail, text);
   • Separate consents are obtained for distinct processing; and
   • Consent is not relied on where there is a clear imbalance between data subject and data controller.
4. Ensure staff know how to deal with data breaches, erasure and subject access requests within the necessary timeframe.
5. Identify means to demonstrate compliance, for example, paper trails of decisions relating to data processing.

The GDPR’s provisions and the obligations which they bring are extensive. More detailed information can be obtained by contacting our Employment Team or our Data Protection Team.

---

The content of this page is a summary of the law in force at the date of publication and is not exhaustive, nor does it contain definitive advice. Specialist legal advice should be sought in relation to any queries that may arise.