What is GDPR?
The General Data Protection Regulation (GDPR) was introduced to unify all EU member states' approaches to data regulation, ensuring all data protection laws are applied identically in every country within the EU. It will protect EU citizens from organisations using their personal data irresponsibly and puts them in charge of what information is shared including; where and how it's shared, who it’s shared with and how it’s collected.
Employee Data Management
Under the GDPR all businesses will have to ensure that they:
- Request consent for data and clearly detail how the data will be used;
- Offer individuals the right to access their data;
- Offer individuals the right to be forgotten – to withdraw their consent and prevent further distribution of their data;
- Notify those concerned of any security breaches.
Employers must also consider how to comply with the rules on consent to data processing and subject access requests made by employees.
Under the GDPR consent needs to be specific, informed and freely given. This means individuals should have a genuine and free choice as to whether or not they consent to the processing of their data, and should be able to refuse or withdraw consent without detriment.
Employers are unlikely to be able to rely on consent as the lawful purpose for processing most personal data, (due to the imbalance of power in the employer-employee relationship) therefore most employer processing activities will fall under the ‘other lawful purposes’.
In accordance with the new accountability principles, an employer needs to be clear from the outset of the lawful purpose on which they are relying. The GDPR lawful purposes for ordinary personal data include processing on the basis of:
- Legitimate interest of the data controller;
- Necessity for the performance of a contract;
- Compliance with a legal obligation;
- Protecting the vital interests of the data subject or of another natural person;
- Necessity for the performance of a task carried out in the public interest.
If an employer relies on consent for any aspect of employee data processing then they need to ensure that:
- Consent is a positive ‘opt in’, separate from the other terms and conditions of employment. It must not be vague and must be refreshed every two years;
- Consent is specific to the data in question and what the employer is using it for;
- If the employer is sharing the data, each third party is named and specific consent is sought;
- The employer advises that consent may be withdrawn and the method of doing this; and
- The employer keeps specific records regarding consent to demonstrate compliance.
Subject Access Requests
The GDPR will:
- Enhance employees’ rights to access personal data held by their employers;
- Entitle them to more detailed information regarding the way in which their data is processed;
- Reduce the time limits for the employer’s response;
- Abolish the current fee for responding to a subject access request (SAR).
Employers are currently obliged to comply with a SAR within 40 days of the request. The GDPR will shorten this period, obliging employers to comply without undue delay and at the latest within 30 days.
Employers should consider putting into place specific SAR protocols including template letters, and carry out an assessment of their businesses’ ability to isolate data relating to a specific individual quickly.
What Should Employers Be Doing?
As a minimum employer’s should:
- Review current data protection policies and practices including existing employment contracts, staff handbooks and employee policies. Ensure there is full transparency over the nature of HR data processing in terms of the data used and the purposes for which it is used and where it is processed;
- Review supplier contracts to ensure they have data protection provisions and update them to cover the new requirements of the GDPR;
- Ensure relevant personnel understand the legal basis for processing data under the GDPR and where consent has been relied on to either justify the processing of HR data on this basis, or consider an alternative and make sure this is recorded;
- Make sure that staff are trained on the new GDPR rules;
- Appoint someone within the organisation to oversee compliance with the reforms.
The GDPR is the biggest shake-up of European Data Protection Law in over 20 years. As it will significantly affect all businesses, its importance cannot be overstated. Whilst GDPR does create challenges for businesses it can also create opportunity to build deeper trust with clients and employees, given the transparent nature of the GDPR requirements.