For many businesses, employers and professionals, May 2018 was a stressful time. Getting ready for the General Data Protection Regulation meant that we had to audit our practices, and make changes to our data protection processes in order to comply with the new regulations in time for the May deadline.
The General Data Protection Regulation (GDPR) will have been in force for one year on 25 May 2019. Its implementation marked a significant change of approach in the protection of personal data.
The first anniversary of GDPR is an ideal opportunity for employers to review their policies and procedures to ensure they’re compliant.
To mark the anniversary of the General Data Protection Regulation, we’ve recapped some key areas for employers to keep in mind when processing employee data, and to ensure your compliance.
The General Data Protection Regulation: the Challenge for Employers
GDPR provides a regime for the protection of ‘personal data’. This is defined as any piece of information that could lead to the identification of a living person (data subjects).
This creates several areas of concern for employers. Not only do we need one eye on how we process third party or customer personal data, we also need an effective process for storing and managing employee data.
Additionally, we have to monitor how employees process personal data themselves.
Most breaches of the General Data Protection Regulation in the past year relate to employees accessing, and then sharing personal information.
There is barely a function of business unaffected by GDPR, but here are some of the main issues to consider with a focus on HR.
A Compliance Regime
Employers are expected to have a tailored approach in place to demonstrate compliance with the GDPR.
This means having policies and procedures in place appropriate to the nature of the business. We also need to monitor their effectiveness, train employees, have a policy on breaches and regularly audit and reviewing compliance.
GDPR compliance should be regarded as part of the fabric of the business.
Employee Privacy Notices
As employers, we naturally collect an array of personal data about our employees, and the General Data Protection Regulation requires that employers clearly explain how that data is processed.
Employees need to be told the reason for collecting the data, who the data might be shared with, how it will be stored, and for how long. Employers also need to communicate how the employee might have access to their personal data, and a process for challenging inaccuracies.
Communicating this information to employees in a fair and transparent way is vital to ensure compliance. Creating a privacy notice or employee data protection policy, is the best way to ensure compliance.
The General Data Protection Regulation and Recruitment
It’s also important to remember that employers need a privacy notice in relation to prospective employees as well as current ones. The personal data of job applicants also needs to be processed fairly and lawfully in the same way as for employees.
A privacy notice should form an integral part of your recruitment process.
Consent must be ‘freely given, specific, informed and unambiguous”, and be provided in the form of a statement made by the employee either orally or in writing.
It is no longer appropriate to have a clause embedded in an employment contract stating that the employee consents to the use of personal data. This is because an employee may be considered to have little choice in the matter, since they can’t sign their contract without giving consent to this clause.
They’re therefore not unable to give consent ‘freely’, and employers need to look at relying on legal grounds other than consent to process employee data, such as legitimate interest or necessity, for example.
Employees must also be informed that they can withdraw consent.
Data Subject Access Requests (DSAR) under the General Data Protection Regulation
Employers need to have an effective system in place to deal with requests from data subjects for records of information held.
You must respond within one month and personal data includes statements or opinions about the data subject, for example comments in performance reviews, or meetings concerning the employee.
Bear this in mind when recording information in the first place, as it’s now a criminal offence to destroy any data to frustrate a DSAR.
Right to be Forgotten
Employees have a ‘right to be forgotten’ under GDPR, meaning that they can request that employers erase personal data held about them.
Employers need to respond in a considered way and be aware to what extent such requests should be complied with, and what justifications exist for refusing to delete data.
Seeking expert advice is crucial in this area as such requests will usually be made by disgruntled former employees.
The employer, as Data Controller, is expected to report breaches to the Information Commissioners Office as well as maintain a record of breaches.
There is a 72 hour time limit on reporting a disclosure of personal data. If the breach poses a high risk to the rights and freedoms of the data subject, those individuals also need to be notified of the breach.
Consequences of Non-Compliance
It’s important to ensure that you’re doing all you can to avoid a data breach, and comply with the General Data Protection Regulation. Breaches of GDPR can be extremely costly to businesses, as they are dealt with by substantial financial penalties.
The Information Commissioners Office now has the power to impose penalties of up 20 million Euros or 4%* of the company’s total annual worldwide turnover in the preceding financial year, whichever is higher. In addition, there can be fines imposed by the Criminal Courts for certain offences under the Data Protection Act 2018 which gave effect to the General Data Protection Regulation.
Clear guidance and the provision of information to employees is vital. Employees need to be informed about the notification requirements and to understand that intentional or grossly negligent breaches are likely to be treated as disciplinary offences.
How can you ensure ongoing compliance with the General Data Protection Regulation?
Don’t be slow to seek expert help and guidance when addressing your data protection processes. Though it presents challenges, compliance with GDPR can readily be met by sensible safeguards and suitable policies and procedures. By carrying out the following, you will be able to create processes that preserve data protection, which can be easily maintained going forward.
- Undertake a data audit.
- Analyse the reasons that data is currently obtained.
- Consider which legal processes you will rely on going forward for processing and remember the data protection principles.
- Identify who has overall responsibility for data protection compliance in your business and consider if you need a Data Protection Officer. You can find out more about this here: Data Protection Officers
- Review the security of your data.
- Review and update your employment contracts and policies.
- Review your disciplinary procedure and make sure that any data breaches are a disciplinary offence.
- Review policies such as IT, communications and CCTV.
- Review and update your external contracts and processes where you share personal data with third party providers.
- Introduce a policy on data retention.
- Draft a Privacy Notice or Employee Data Protection Policy which outlines exactly how employee data is processed.
- Draft guidance for managers and staff who have responsibility for data protection.
- Ensure your recruitment processes protect personal data, and that you inform candidates how you process their data, and gain their active consent to keep their details on file.
- Ensure you maintain compliance.
- Carry out annual audits and regular spot checks in high risk areas.
If you would like any support with addressing data protection for your staff, drafting an Employee Data Protection policy, or carrying out an audit, please contact our team of HR Consultants on 01271 859267 or firstname.lastname@example.org