25 May 2018: This date should be etched into your brain, because it is the date the General Data Protection Regulation (GDPR) will apply in the UK.
You should put to bed any ideas (hopes?) that the GDPR is going to be derailed by Brexit: on 7 August the Government issued a statement of intent, confirming that it would be publishing a new Data Protection Bill which will bring the GDPR into UK law. Exactly when this will be published is unclear, but what is clear is that you shouldn't just sit around waiting for it - with no grace period after 25 May 2018, you're going to need to hit the ground running. And in case you need an extra incentive, just remember, the GDPR has teeth: breaching the law could give rise to a fine of up to £17 million or 4% of an organisations' global annual turnover, whichever is higher (significantly up from the current maximum of £500,000!).
In the first of two blog pieces on the GDPR, I am going to give you a rundown of the eight key things you absolutely must know about it. Next week, I'll share some practical tips for getting ready, but for now let's tackle the question "what on earth is this all about?!".
While many of the main concepts in the GDPR are similar to those in the current Data Protection Act, there are new elements and enhancements (particularly in respect of the rights granted to individuals) which HR professionals will need to know about when dealing with employee data. The Information Commissioner's Office (ICO) has produced a helpful "Overview" of the GDPR if you need extra detail, but in summary here are the key areas of relevance:
1. Consent as a legal basis for processing
This has the potential to have one of the largest impacts on processing employee data.
Currently, the common approach is for employers to rely on consent as a catch-all legal basis for collecting and using employee information (usually in the form of a generic clause buried deep in an employment contract). Under the GDPR, realistically, this practice is going to have to stop. Here's why:
- The ICO in its GDPR Consent Draft Guidance is explicitly clear: "employers will find using consent difficult" because of their "position of power" over employees.
- The threshold for obtaining consent will increase – consent for processing all data must be "unambiguous and involve a clear affirmative action". Importantly, consent must be "freely given" (and can any of us genuinely say this happens when an employment contract is conditional on consent being given?).
- Under the GDPR, consent requests must be separate from other terms and conditions (again, clearly a broad clause in an employment contract will fall foul of that).
- Employees will be able to withdraw consent at any time, which obviously carries a risk to employers wishing to rely on it. The process of withdrawal of consent must also be as easy as for giving it and will give employees some additional protections (see below).
While there may still be certain 'one-off' situations where it will be appropriate or necessary to seek an employee's consent to process personal data, on the whole it will be advisable for employers to look for another legal basis for processing personal data – and ideally capture this in the employment contract. The most flexible basis is likely to be "legitimate interests". This allows you to process personal data if you have a genuine and legitimate reason for doing so (including commercial benefit), unless this is outweighed by the harm to the individual's rights and interests. However, these reasons must be asserted and notified to employees.
Other relevant reasons include i) to fulfil your rights or obligations under an employment (or other) contract with an individual or ii) to comply with a legal obligation. If an employer can explain why a certain activity is necessary in the employment contract, so much the better – but going forwards employers will want to avoid any suggestion of "consent" or "permission".
2. New rights for individuals
The GDPR introduces a suite of new and enhanced rights with the aim of giving individuals greater control over how their data is used:
- Right to be forgotten – Also known as the "right to be erasure". Workers will be able to ask for data on them to be deleted where it is no longer needed for the purpose it was gathered or where consent is withdrawn (unless the data is required by law or for legal proceedings).
- Right to rectification - Workers have the right to rectify personal data or ensure it is complete. If an employer has previously disclosed this information to a third party, it will have to notify them that the information has been rectified (and let the worker know who those recipients are if requested).
- Right to object / restrict processing - In certain circumstances (such as where the processing is unlawful or where the individual contests the accuracy of the data), the worker can prevent an employer from processing data without their consent or otherwise in connection with legal claims or to protect the rights of others. The cynic in me feels that this has the potential to give disgruntled employees a greater arsenal with which to disrupt disputed performance reviews or grievance and disciplinary matters; let's just hope I'm wrong.
3. Data Subject Access Requests
While a lot of us are already familiar with subject access requests, and the right for individuals to receive copies of the data you hold on them, the GDPR introduces a few notable changes to the process. The main ones are that you will need to respond within one month (down from 40 days) and will no longer be able to charge a fee.
There is scope to extend the period of compliance by up to two months where requests are "complex or numerous" or to refuse to respond where requests are "manifestly unfounded or excessive". Exactly what is meant by these concepts is yet to be seen – we can but hope there is guidance on them to avoid some of the litigation there has been under the current regime.
4. Data Protection Officer
It will be mandatory for certain types of organisation to appoint (or outsource) a Data Protection Officer (DPO) who will be subject to specific requirements and duties. Others will not be under an obligation to do so, but be aware that if you give someone the title of "Data Protection Officer" then the GDPR standard will apply. It does not need to be a stand-alone role, but if you do require a DPO at law then responsibility cannot be shared over more than one employee.
Even if the law does not require your organisation to appoint a formal DPO, it is nevertheless advisable for everyone to identify someone – whatever their title – to take responsibility for all things data protection. It should not be treated as an IT issue, but a management issue with major implications across (in particular) IT, HR, marketing and legal/compliance.
5. Security breaches
Unless you can show that a data security breach (essentially the actual or potential loss, corruption or theft of data) is unlikely to cause harm to individuals, you will have to report that breach to the ICO within 72 hours of becoming aware of it. And where the breach is likely to present a high risk to particular individuals, they should be notified directly.
6. Transparency and accountability
These buzzwords occur throughout the GDPR. Put simply, much fuller information is required from employers when they collect personal data from individuals. The most common way to do this is in a privacy notice, telling individuals about their data subject rights, their right to withdraw consent and about data retention. So, for example, you should give a privacy notice to job applicants or employees wherever and whenever you collect data about them.
The GDPR also places a pro-active responsibility on employers to demonstrate their compliance with its principles. From an HR perspective, this will include things like maintaining relevant documentation, preparing and implementing appropriate policies and carrying out staff training.
7. Privacy by design and by default
Again, these are buzzwords given legal effect by the GDPR. Essentially this means: i) knowing in advance whether any relevant project (eg a benefits overhaul or policy review) will create data protection issues and ii) ensuring your 'default settings' are friendly to individual rights. Linked to this is the concept of "data minimisation" – in other words, personal data should be limited to what is necessary for the purposes for which it is processed. There is no scope for employers to collect data on the off-chance it might be useful for some as yet unspecified purpose.
One way of achieving this is via privacy (or data protection) impact assessments. This is a tool that employers can use to identify and reduce the privacy risks of projects. These will be mandatory in some circumstances, but are in any event advisable before embarking on any new major projects or policy changes.
8. International transfer of data
Employers who transfer personal data about their employees abroad (or even use a third party located in a different country) will need to inform employees about how and when this occurs and what safeguards are in place. There will be a clear need to avoid the inadvertent transfer of data to another country without appropriate safeguards; a potentially tall order in today's internet-driven world. Although the GDPR acknowledges there will be a legitimate interest in organisations sharing employee data across group companies for internal administration, this does not defeat the need to follow the "third country" transfer rules.
At 173 recitals and 99 articles, not surprisingly, the GDPR is a lot to take in. To help with that, next week we'll be focusing on the practical steps you can take to Get Data Protection Ready. For further details about the GDPR and information law more generally please look at our newsletter Information Matters or get in touch with your usual contact in the firm.