So what does GDPR stand for and where does it come from? The General Data Protection Regulation is a European Union Directive that will replace the Data Protection Act 1998 (DPA) in the UK.
The Brexiteers amongst you may think “Great, we can ignore that then” however you would be very wrong!
Firstly, the GDPR will become a reality in the UK on 25 May 2018 which is before the intended deadline for Brexit in March 2019 and secondly if we still want to be able to transfer data to and from Europe following Brexit the UK is required to have a data protection regime which is “adequate” in the eyes of EU law. In reality that means that the regime must meet the same minimum standards set by the rest of Europe who will be using the GDPR.
So no getting out of it then, unless your business can exist in a bubble and without the need to process data. In that case it’s time to start thinking about the type of data your business processes and how to ensure your business is protected from ghouls, ghosts and the GDPR.
Whilst the GDPR will affect all data collected and processed by your business the way in which you recruit and employ your employees is one aspect of your business which is likely to be affected more than most by the GDPR.
As an employer you need to check that they are who they say they are and not a murderous teenager hiding behind a hockey mask (ok, that one’s a bit thin… maybe I’ll leave the Halloween analogies for now). As standard information is gathered by employers during the recruitment process and often supplemented when the employee commences work, this makes you both a data controller and a data processor . Going forward you will need to think more carefully about what information you are asking for and why you need it as you will need to be able to justify collecting and processing it.
Personal data is data which is data that relates to a living individual (zombies and ghosts remain unprotected) and the individual must be identifiable from that data. It is given a broad definition and includes:
Information relating to the individual’s personal or family life, profession or business; Information used to inform or influence actions or decisions affecting that person; Information that focuses on the individual as its central theme rather than on an object, transaction or event; The individual’s name plus any other piece of identifying information such as telephone number, address, salary, working conditions, hobbies, or sickness record.
Under the GDPR, at the time data is obtained, the employer must provide to the employee with a wealth of information in writing including the purpose for which data is being processed, the potential recipient(s) of the data and how long it will be stored for as well as the fact that the employee has the right to rectification, erasure or restriction of processing “in a concise, transparent, intelligible and easily accessible form, using clear and plain language. ”
If anybody thinks this is not a significant task they are mistaken. Every time you obtain personal data or “special categories of personal data” (as sensitive data will now be called) about your employees you will need to consider a significant number of issues to ensure compliance with the GDPR.
In order for you to lawfully process personal data it will be necessary to ensure that at least one of the legal reasons set out in the GDPR applies. Unfortunately whilst consent from the data subject is one of the fair reasons for processing data it will rarely justify the processing of personal data alone under the GDPR. As such it will be necessary to find another potentially valid reason including:
- Processing is necessary for the performance of the contract;
- Processing is necessary for compliance with a legal obligation; or
- Processing is necessary for the purposes of the legitimate interests pursued by the controller.
Clearly it will be necessary to obtain certain data in order to pay your employees and to comply with tax and pensions legislation but will all the information you gather as standard be necessary for this purpose? If not you may need to provide a further explanation to your employees about the purpose for which their data is gathered and who the recipients of that data will be. Something to think about…
And while we’re talking about it, all data that has been gathered previously is likely to need destroying and then collecting again in line with the GDPR unless at the time it was obtained you provided the detailed information required by the GDPR.
Under the GDPR there is a new requirement on data processors to show that they are accountable which essentially means you will have to be able to show that you are compliant with the GDPR and how you comply with its data protection principles. In practical terms this is likely to mean demonstrating that you have policies in place that have been implemented and are enforced, that your staff know what they can and cannot do with data and that if data is incorrectly processed you know how to deal quickly with a breach and that somebody will be responsible for this. Data
Subject Access Requests (DSAR)
It is a fundamental right that a data subject may request his or her data from a data controller. A Data Subject Access Request (DSAR) is the way in which a data subject can request their data. It is often used by employees to obtain data held about them by their employers.
Under the GDPR no fee will be payable by the employee for a DSAR unless the request is “manifestly unfounded or excessive, in particular because of their repetitive nature” . You will need to comply with a DSAR “without undue delay” and at the latest within one month of the request. It will be possible for the parties to agree an extension of time by up to a further two months but only in the event that the request is particularly complicated or there are numerous requests.
Whilst that might sound like bad news it is possible and indeed advisable, to request further specifics about the DSAR when it is received in order to streamline the request or to raise objections if the employee is asking for information which appears to have no relevance to their personal data.
For larger employers, if you don’t already, it may be wise to have certain employees trained up to deal with DSARs so that they can be dealt with quickly and efficiency.
Notification of a breach
Under the DPA there is at present no obligation on an organisation to notify the Information Commissioners Office (ICO) of any data breach. However, under the GDPR it will be mandatory to inform the ICO of any personal data breach without undue delay, and where feasible, within 72 hours of becoming aware of the breach (although the requirement is removed where the breach is unlikely to cause any risk to the data subjects). A data breach is easier than you think, an e-mail to the wrong recipient, for example. As an employer you should ensure that you have thought about how you will deal with this and have a process in place to deal with this eventuality, this will help you prove to the ICO that you take data protection seriously and that you are accountable.
Penalties for infringement
A final point to leave you terrified and wishing for the more obvious, “quiet, quiet, BANG!” type scares associated with Halloween. Fines for breaching the GDPR can in some circumstances reach 20 million EUR, or 4% of the total worldwide annual turnover of the business, whichever is higher.
The ghastly GDPR should not however be too scary if you plan ahead and act now. The deadline for compliance with the GDPR is 25 May 2018 and so you still have time before the axe swings.
- Start thinking – it is unlikely all the data you currently hold has been gathered in accordance with the GDPR, can you cope without that data?
- If not, how will you collect relevant data to continue operating?
- Consider the size and nature of your business, employment is not the only area that will be affected, how will you ensure that you are accountable?
- Who will be responsible for data protection compliance and what will happen in the event of a breach once the GDPR is in effect?
- Consider whether you need to revise your data protection policies in light of the GDPR?
Take part in a survey we are conducting to get a better understanding about how ready businesses are for the GDPR:
Contact the data protection specialists at Taylor & Emmet if you need specialist advice on how the GDPR will impact your organisation.
For more information about Taylor&Emmet’s employment law services call telephone (0114) 218 4000, visit www.tayloremmet.co.uk or follow the firm on Twitter, @te_employment. Please note that this advice note is made in general terms only and does not replace specific legal advice.
 Data controller means,…, a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.
 Data processor in relation to personal data means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
 ICO guidance August 2007
 Article 12 GDPR
 Article 9 GDPR
 Article 57 GDPR