The EU General Data Protection Regulation (“GDPR”) comes into force on 25 May 2018. This is a significant change in data protection law and businesses will need to invest time preparing for the changes. We have prepared some FAQs with an HR focus to help employers prepare.
Q: Given that the UK is leaving the EU, do we still need to prepare for compliance with the GDPR?
A: The short answer is yes. The GDPR will come into force in the UK before it withdraws from the EU and, in any event, even after the UK’s exit the UK must still offer data protection standards that comply with EU requirements to avoid being classified as inadequate in terms of the level of protection given to personal data. The reality is that if the UK wishes to trade and deal with the EU, it must satisfy the same high standards of data protection. Employers with operations in the EU must comply in any event.
Q: Our employees give consent to workforce data processing in their employment contracts. Will this still be sufficient to cover processing of personal data?
A: No. Under the GDPR, consent for data processing must be ‘actively and freely given’. It must also be ‘divisible’ and as easy to withdraw it as to give. As an employee usually cannot reject a particular clause in their employment contract it is not (for GDPR purposes) considered to be ‘freely given’. The standard consent clause also does not separate out the full range of data processing that may be carried out and does not, therefore, allow the employee to say no to a particular aspect of the proposed processing.
The good news is that the GDPR allows employers to rely on alternative valid bases for processing personal data (other than just employee consent). For example, a data protection audit is likely to show that the employer needs to process personal data to operate the payroll or the sick pay system. Where this valid basis for data processing exists, employers can rely on the justification that such processing must happen in order for the employer to perform the employment contract.
Another example might be that the employer identifies a need to monitor IT systems for data security and regulatory compliance reasons. It is arguably better to justify the processing on this basis rather than relying simply on employee consent which could be withdrawn at any time. It will be important to conduct impact assessments recording how and why these decisions have been taken.
There may well be areas where employee consent to process certain specific data is still required and, in these cases, the consent must be given freely (i.e. not as part of the employment contract) and actively (i.e. not simply ‘by default’).
Q: What steps should employers be taking now to prepare for the GDPR coming into force in April?
A: The GDPR affects the whole business but, from an HR angle, we would suggest that the following steps are taken as part of the overall business preparations.
- Audit HR data and data processes.
Now is the time to assess what data is held by HR and how it is processed (who it is shared with and why?). What data protection policies and procedures do you currently have and are these working? Are there any risk areas that need attention before the GDPR comes into force?
- Audit your third-party processors.
The GDPR contains increased obligations on employers to ensure that their third-party data processors comply with data protection laws. The obvious ones here include external payroll providers and occupational health assessors. You need to make sure that your contractual terms require third parties to comply with data protection law in processing personal data about your workforce. You should consider what steps you take to vet and check external service providers for compliance both prior to and during their appointment.
- Move away from relying solely on employee consent to justify business critical data processing (see above).
- Ensure staff are trained appropriately.
General data protection training is as important as ever. Those with specific data processing responsibilities should be given additional tailored training.
Q: How will the GDPR change the rules regarding subject access requests?
A: In standard cases, the current 40-day time limit for responding to subject access request will be reduced to one month and the £10 fee will be revoked. The one month timeframe can be extended by a further two months in particularly complex cases and provision will be made for a fee to be charged if the request is manifestly unfounded or excessive.
The GDPR will extend the right of access to personal data (employees will be entitled to more information about how their data is handled, who has access to it, how long it is held for etc) so employers should ensure that anyone appointed to handle subject access requests has received up to date training.
Q: Do we need to appoint a data protection officer?
A: The GDPR requires companies whose core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale to appoint a data protection officer. This person must have expert knowledge of data protection law and practices and their job will be to monitor internal compliance with the GDPR. Business who do not fall into this category may still wish to appoint someone to monitor data processing and keep a check on compliance.
The GDPR represents a significant change in current data protection practice and businesses need to start preparing now.
If you would like further advice on this topic please contact David Smedley or Andrew Rayment.