The General Data Protection Regulation (GDPR) and what it means for employers
Article written by Naylah Hamour,
Partner in our Employment and dispute resolution department.
Most employers have now heard of the GDPR, although many do not yet know what the Regulation involves or what it will mean for their business. Many businesses have made no provision at all for GDPR compliance, perhaps wrongly assuming that the Regulation will have no particular impact on them. This is not the case, and the GDPR will bring in sweeping changes to employers’ and data controllers’ obligations, and to employees’ rights over their own data. It is essential that employers and data controllers properly prepare for the implementation of the GDPR in order to avoid falling foul of the Regulation and becoming subject to the new and hugely increased financial penalties.
What is the GDPR?
- The GDPR is the EU General Data Protection Regulation.
- Our Domestic legislation will be called the Data Protection Act 2018. This is designed to implement the GDPR. It replaces the Data Protection Act 1998 and must take effect by 25 May 2018.
- It was produced in response to the growth in the communication of personal data which therefore required a stronger framework. In particular, it reflects the increase in online activity and online presence that was not envisaged in the Data Protection Act 1998.
- Implementation will, as far as possible, preserve the concept of the Data Protection Act to ensure smooth transition from the old regime to the new enhanced Data Protection regime.
- Under the GDPR, if there is to be a transfer of data to a third country, i.e. a non-EU country, the European Commission must assess the adequacy of the data protection provided by that third country. If it is deemed inadequate then the third country would no longer be treated as an appropriate place for the transferred data.
A poll by the London Chamber of Commerce and Industry found that 24% of London businesses are not aware of the GDPR. They also found that of those business decision makers who believe that the GDPR will affect them, only 16% say that their business is already prepared for it. 21% say the business would like to prepare for the GDPR but need to find out more about it. 34% of the London business community wrongly say that the GDPR is not relevant to their business.
What’s new in the GDPR?
- Most businesses and data controllers are now comfortable with the key provisions of the Data Protection Act 1998 and the definitions of “personal data” and “sensitive personal data”.
Under the GDPR the definition of “personal data” is more detailed than before and makes clear that information such as an online identifier e.g. an IP address can be personal data.
- The more expansive definition of personal data provides that many personal identifiers will constitute personal data. This reflects the technological changes since the 1998 Act, the changes in people’s online and social media usage and why organisations collect information about people, including online.
- The term “sensitive personal data” under the 1998 Act is now replaced with the term “special category” data. The definition differs slightly but the principle is the same.
It includes data revealing “racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”.
If data falls within this definition then a “specific condition” must be satisfied before the processing can take place, in addition to having a lawful basis for processing.
- The most likely applicable “specific conditions” for employers would be: “processing necessary for the purpose of carrying out the obligations of the controller in the field of employment”.
Important points for employers
Consent is therefore no longer sufficient to allow processing of special category data. The circumstances in which consent is not sufficient are as follows:
- Consent is invalidated if there is an imbalance between the data controller and the subject. In almost every employment contract there will be an imbalance between the employer and the employee and, therefore, consent alone from an employee will not be sufficient to allow an employer to process “special category” data.
- Consent prior to the GDPR (i.e. prior to 25 May 2018) cannot be relied upon as consent under the GDPR. (unless it is also GDPR compliant) This means that contracts which include consent to data processing cannot be relied upon for ongoing processing after implementation of the GDPR.
- Consent cannot form part of another document unless somehow highlighted. It is unclear if having a separate clause heading within an employment contract (assuming that there is no imbalance between the parties) would be sufficient, but for safety a separate data protection schedule would be advisable.
- Consent to data processing of special category data can be withdrawn, and means an employer should not rely on consent as the only basis for processing in any event.
- There are other bases under which an employer may process special category data, regardless of consent. Under the GDPR employers are advised to set out the relevant bases within the data protection schedule of a contract in order to ensure that any necessary processing can take place.
- Territorial scope has changed. Now, the issue is no longer where the data processing actually takes place. The GDPR will apply if the processing takes place in the context of activities of an employer which is established in the EU.
- Even if an employer is not established in the EU, if the processing of personal data relates to the offering of goods or services to those individuals in the EU, this would also fall under the GDPR. For example, post-Brexit if a UK headquartered company also had employees who are based in the EU, then the GDPR would apply to the processing of their data and vice versa.
- The lawful bases for processing depend on the processing being “necessary”. An employer will therefore need to show that the processing is a targeted and proportionate way of achieving the required aim. It will not be sufficient for the employer to operate the business in a particular way if the purpose or aim could be easily achieved by some less intrusive data processing means.
- If an individual requests their data from an employer they will now have a right to receive that data electronically in a form that can be passed on.
- Employees will have a right to be informed by the employer, at the time that data was obtained, of various things such as the data; the use to which it will be put; the period of storage; the recipients of the data; and the employee’s rights in relation to the data. Employers will therefore need to have clear notices for employees, which could be in the form of a data protection policy.
- Employees will have enhanced rights to erasure of their data.
Compliance and reporting of breaches
Data processors will have direct obligations for the first time. These will include obligations to:
- Maintain a written record of processing activities carried out.
- Designate a data protection officer where required.
- Notify the controller on becoming aware of a personal data breach without undue delay.
Important and onerous accountability obligations are imposed on data controllers by the GDPR:
- Reference to “undue delay” is particularly onerous as soon as the data processor becomes aware of the breach then the data controller is deemed to be aware. Employers will therefore need to put in place training policies and procedures to ensure that any processors of data are aware of their obligation to notify the data controller so that appropriate steps can be taken in the event of a breach. Failure to do so can expose the employer to significant penalties.
- An employer will be required to notify the relevant regulator within 72 hours of becoming aware of breach (unless the breach is unlikely to cause any risk to employees).
- Penalties for infringement will be increased from the current limit of £500,000 to the higher of 10 million Euros or 2% of total worldwide annual turnover of the preceding financial year.
- For certain infringements the fines will be set at an even greater level, being the higher of 20 million Euros or 4% of total worldwide annual turnover of the preceding financial year.
The scope for large fines is significant. As an example, in September 2017 Facebook was fined 1.2 million Euros in Spain after it failed to inform users of how their data would be used.
If that fine had been imposed under the GDPR and, therefore, as a percentage of annual worldwide turnover, Facebook’s exposure would have been very substantially increased bearing in mind that its annual worldwide turnover in 2017 was 33 billion euros.
Guidance is given in the GDPR as to relevant factors to be taken into account in the imposition of a penalty, and the nature, gravity and duration of the failure will all be relevant. However, employers would be well-advised to avoid reaching the position of having to mitigate the level of a fine.
Examples of personal data breaches given by the Information Commissioner’s Office (ICO) are:
- Access by an unauthorised third party.
- Deliberate or accidental action or inaction by a controller or processor.
- Sending personal data to an incorrect recipient.
- Computing devices containing personal data being lost or stolen.
- Alteration of personal data without permission.
- Loss of availability of personal data.
What should employers do now?
- Take advice.
- Put in place policies and procedures for data protection. A data protection policy should be signed by employees in acknowledgement.
- Train staff on management of data and notification processes, including training on email etiquette and minimising their and the employer’s data trail (subject to any retention requirements).
- Consider making it a disciplinary offence to fail to report a data protection breach.
- Update employment contracts where necessary to include a data protection schedule. Otherwise prepare a separate data protection notification and consent for employees.
- Notify employees of any data processors e.g. payroll, bank, etc and of any data sharing with third parties.
- Consider having a social media policy or digital media policy so that employees can understand that social media postings can form part of a later subject access request.
- Consider putting in place systems for employees to access their own data online.
- Ensure that any staff responsible for dealing with subject access requests are appropriately trained.
All employers will need to reassess their businesses and business practices in light of the GDPR and would be well-advised to take advice sooner rather than later. An overhaul of HR and other compliance documents may be required in order to prepare properly for the GDPR and careful consideration will need to be given to training, implementation and notification.
For more advice on this area please contact:
Tel: 020 7408 8888