Demonstrating Ongoing Compliance
It is important to all businesses to comply with the current legislative regime and data protection principals to minimise risk. The GDPR takes the concept of compliance even further introducing themes of corporate accountability and governance. Employers will have a legal obligation to demonstrate that they are complying with data protection principles and adopting an approach and practices that properly protect the privacy of individual data subjects.
It will no longer be enough for the employer to demonstrate that they have not breached the legislation, the employer will also need demonstrate they have implemented “appropriate technical and organisational measures” in relation to data protection.
This means that employers will need to have a detailed data protection policy in place, as well as other ancillary policies such as those on data security and data breaches. In fact, all the issues we have raised in this newsletter will need to be addressed in the employer’s workplace policies.
The GDPR also introduces a new concept of ‘data protection by design and by default’. The intention is that data protection will be built into the design and implementation of new systems from the outset. For example, where a new HR system is being established, all the issues relating to the protection of employee data and privacy (such as lawful processing, individual rights and portability of data) will need to be part of the design of the system from the ground up.
In order to manage data protection compliance some employers already appoint a designated person as Data Protection Officer. It is likely this approach will become more popular and it is recommended as part of establishing an internal framework for compliance. Generally this is a voluntary measure, however, there are some circumstances under the GDPR where appointment of a Data Protection Officer is mandatory:
- the organisation is a public body, or
- the organisation carries out systematic monitoring or large-scale processing of sensitive personal data
There is a lot to do regarding the implementation of GDPR. A designated and properly trained Data Protection Officer, with the backing and support of senior management, could be a useful resource within any organisation.
The 1995 EU Data Protection Directive underpins the current data protection regime across the EU and is implemented in the UK by the Data Protection Act 1998. That regime has stood for almost 20 years. The EU has long recognised that the 1995 Directive requires updating, given advances in technology and the nature and volume of personal data used in business today. Another EU objective has been the need for a more consistent approach to data protection practices and outcomes in the context of modern living. The internet, for example, has no respect for national boundaries and there is a desire for EU citizens to have privacy expectations met in a consistent way throughout the EU. The output of a number of years of EU discussion is the General Data Protection Regulation (‘GDPR’).
UK businesses must comply with the requirements of GDPR with effect from 25 May 2018, a date well before the UK will leave the EU. Even after the UK has withdrawn from the EU there will still be a need to preserve an equivalent data protection regime in the UK to ensure that UK business can continue to trade across the EU. The UK government has published a new Data Protection Bill which is progressing through Parliament and will replace the Data Protection Act 1998. The new Act will match the protections afforded by the GDPR and forms part of the legislative program to incorporate aspects of EU law into UK law after Brexit.
What are the changes to the Data Protection regime?
In the broadest sense, the GDPR builds on the current data protection regime. Many of the concepts and principles are familiar and the underlying effect of the GDPR is to encourage a higher level of compliance with existing data protection principles through a stricter regime with an new emphasis on corporate accountability and self-governance.
In this Newsletter we deal with five of the key changes that will affect employers in the context of processing of employee data:
- the increase to maximum financial penalties
- an end to relying on employee consent
- the enhanced rights of individual data subjects
- mandatory reporting of data breaches
- the requirement to demonstrate transparency and compliance
Employee Consent and Employment Contracts
The historic approach for many employers has been to include a clause in the employment contract confirming that the employee consents to their data being processed by the employer and this has provided the lawful basis for processing of the employee’s data.
Consent will remain one of the potentially lawful reasons for processing personal data under GDPR but the EU Working Party has made clear that consent will not provide a lawful basis for processing in the context of employment relationships. The reason for this is that the preconditions for using consent as the lawful basis for processing will be more stringent after May 2018. Under the GDPR, for consent to be valid, it will need to be:
- Freely given
Accordingly, employers will need to rely on different bases in order for processing of employee data to be lawful. These will include:
- that processing is “necessary for the performance of a contract” - using payroll as an example, personal data must be processed in order for an employer to fulfil its contractual obligation to pay the employee
- that processing is “necessary for compliance with a legal obligation” - continuing the payroll example, HMRC places legal obligations on an employer in relation to income tax and national insurance
- that processing is for the purposes of “the legitimate interests pursued by the controller” (subject to an obligation on the employer to balance its own interests against the legitimate interests of the employee.)
The removal of consent as a lawful basis for processing in the context of employment will mean that that employers will need to reconsider whether each aspect of employee data processing has a lawful basis. In the interests of transparency, employers will need to inform employees what that lawful basis for processing is and also provide details about what data is held, how it is used and how long it will be kept. Employers are likely to achieve this by issuing a data protection privacy notice to employees.
In addition to satisfying the requirement for there to be a lawful basis for the data processing, employer processing must also comply with the data protection principles, including that processing is fair and transparent and that data processed is relevant, accurate, retained for no longer than is necessary and kept securely. These are established requirements under the current data protection regime and they are continued under GDPR.
Mandatory Reporting of Data Breaches
The current obligations on organisations to report data security breaches to the ICO are not mandatory, although there are advantages in self-reporting in order to demonstrate accountability and seek assistance from the ICO.
- reporting of data breaches to the ICO will become mandatory where there is a risk that the breach has a detrimental effect on the data subject e.g. a risk to the individual’s financial position, reputation or confidentiality
- where there is a requirement to report the breach, the report must be made within 72 hours of the breach being discovered
- where there is a high risk of detriment to the data subject, the breach must also be reported to the individual data subject
- where there is no requirement to report the breach, the employer must in any event keep a record of the breach
The ICO has issued guidance about what information should be reported and will introduce a new telephone reporting service and a web reporting form.
These new requirements and in particular the 72 hour deadline will have a significant impact in practice on internal processes. Currently, where a data breach is discovered, most employers are likely to carry out their own internal investigation, before taking a decision whether it should be reported to the ICO. The practical impact of the new rules is that the reverse could happen. Employers are likely to be placed in the position of reporting the breach before they themselves understand the full picture.
It will be important that employers to have in place mechanisms to detect data breaches and a data breach policy setting out clear roles and responsibilities within the organisation and processes for responding to the breach. Staff will need to be educated and trained in relation to such requirements.
All businesses should now be taking steps to ensure that the organisational approach to data protection is evaluated and that there is an internal framework enabling and ensuring compliance in relation to all types of personal data (and not just employee data). For many businesses data protection has been low down on the agenda but this approach cannot continue.
HR departments need to conduct audits to understand what employee personal data is collected, why is it collected it and what happens to it. Once that is understood HR departments should review whether HR practices are compliant with data protection principles and whether adjustments need to be made to ensure future compliance with the stricter requirements of the GDPR.
Increased Financial Penalties
here will be tougher enforcement of rules and higher financial penalties under the new regime. Currently, the maximum penalty the Information Commissioner (ICO) has the power to issue is a fine of £500,000, although fines at this level are rarely issued.
The level of fines is set to increase significantly. The GDPR provides for a maximum penalty of up to €20 million (around £17m), or 4% of global turnover, whichever is the higher of the two. The very significant increase means that businesses can no longer afford to treat data protection as a low risk area of compliance.
In addition, the ICO has other enforcement powers including investigative powers and the ability to issue temporary and permanent bans on data processing, which in practice could cause very significant commercial damage to businesses. The ICO’s enforcement powers are in addition to individual data subjects’ ability to enforce individual rights through the legal system when they are caused damage or distress by data processing.
The most commonly used individual right under the current data protection regime is the right to make a ‘Subject Access Request’. The right is often used in the context of grievances and legal disputes. The 1998 Act provides that an employer has a 40 day deadline to respond to the SAR and can charge a fee of £10.
The GDPR introduces more stringent requirements for employers on receipt of a SAR:
- The deadline to respond will be reduced from 40 days to a maximum of 30 days
- The £10 fee can no longer be charged automatically. Employers will no longer be able to charge fees unless they can demonstrate the request is “manifestly unfounded or excessive”, such as where an employee has been making repeated requests
- Additional information will need to be provided to data subjects in the employer’s response, including:
- whether the employer has or intends transferring any employee data to another country and a summary of any safeguards
- how long the employer intends keeping copies of the data
- whether the employer engages in automated processing activities
- an explanation of the employee’s rights to object, correct or request deletion of their personal data.
GDPR preserves other individual rights of data subjects under the current regime, such as the right to rectification of inaccurate data. The GDPR’s requirements to respond to such requests reflects the new approach in relation to SARs i.e. the employer must respond quickly and generally without charging any fee.
As well as bolstering existing individual data subject rights, the GDPR will create a number of additional individual rights. These will include the right to ‘data portability’ – this right is an entirely new concept introduced by the GDPR. An employee will have the right to request a copy of their data in a “structured, commonly used and machine-readable format” and also require that such data is transferred directly to a third party. The right effectively provides for an enhanced SAR. The right could be met for example by providing a PDF file and the employer is not permitted to charge any fee.
Another individual right that has received attention in recent times has been the so called ‘right to be forgotten’, meaning the right to request that all data held about the individual is erased. A legal challenge involving Facebook resulted in public awareness of this issue in relation to internet search engine data. Requests from ex-employees to have their data deleted could become a routine request for employers and mechanisms will need to be in place to respond quickly to such requests. However, employers can be reassured that the right to be forgotten is not absolute; employers may be entitled to retain employee data in line with the employer’s legitimate interests.