GDPR - key considerations for employers
By now employers are aware that from May 2018 the General Data Protection Regulation (“GDPR”) will be implemented replacing the Data Protection Act 1998. Although predominately aimed at commercial processing of customer data, the new regulations will have a significant impact for a company’s approach to processing employee data. The GDPR aims to ensure that an employee (and individuals more generally) have the ability to control and access their data, and restrict its use.
Perhaps one of the key, and certainly most frightening, changes under the legislation for employers are the sizable increases in potential penalties if found to be non-compliant, which could include a fine of up to 4% of annual worldwide turnover from the preceding financial year or 20 million euros, whichever is greater.
Therefore it is key for employers to consider that they can be doing now to ensure they are in line with the new obligations? Please note the following are only some of the factors to consider and employers should take legal advice in advance of the regulation being implemented.
1. Individual’s rights
It is imperative that employers have systems in place to ensure individual’s rights are protected and employers should consider amending procedures if they do not go far enough. Key individual rights include:
Right to be informed, right of access, right to rectification, right to erasure, right to restrict processing, right to data portability, right to object and right not to be subjected to automated decision-making.
2. Have a lawful basis for processing personal data
To make this process lawful, employers must consider factors such as consent, performance of a contract with the employee, compliance with a legal obligation, protecting the employee’s vital interests, performing a task in the public interest and where processing is necessary for your legitimate interests or those of a third party.
Employers should review the various types of processing activities they carry out and identify the lawful basis for each processing activity. This should be documented to comply with the GDPR’s accountability principle.
3. Review consent procedures
The GDPR introduces a new standard of consent, which must be freely given, specific, informed and unambiguous. Employers must review how they seek, record and manage consent and whether they need to change their current procedures. In the event that current consents do not meet the GDPR standard, new consents must be obtained.
4. Audit your data
Employers should document what personal data they hold on employees, where it came from and who it is shared with. An information audit is a useful way to do this and goes some way in complying with the principle of accountability under the GDPR. For employers with over 250 employees, written records must be kept of all processing being conducted.
5. Review privacy notices
The GDPR’s transparency principle means that employers need to provide more detailed and specific information to individuals when processing their personal data. Privacy notices should be provided free of charge in a form that is concise, intelligible, easily accessible and written in plain, clear language.
6. Review service provider arrangements
Under the GDPR’s accuracy principle, employers should ensure that information provided to service providers is accurate. Employers should notify service providers of errors so they can correct their corresponding data and must ensure service providers delete data if an employee exercises their right to erasure.
7. Review subject access request procedures
Employers will have a shorter period to comply with a subject access request – a month rather than the current 40 days – and no longer will be able to request that a fee is paid. Replying to a data subject access request can be a lengthy and difficult process so it is important that procedures are in place to limit the administrative burden where possible.
8. Review data breach procedure
Employers must, under the GDPR, report to the ICO within 72 hours of any breach that could result in a risk to the rights and freedoms of individuals, and where this risk is high, the individual must be notified without undue delay. Employers should have suitable procedures in place to detect, report and investigate any breach involving personal data.
9. Adopt a ‘privacy by design’ approach
Data protection considerations should be built into any systems used or designed by an employer. Considerations include the amount of personal data being collected, the extent of its processing, the storage period and its accessibility. Employers must also have a privacy impact assessment where data processing is likely to be high risk to individuals.
10. Appoint a Data Protection Officer
Having a DPO is mandatory for some organisations under the GDPR, but even if not, it may still be prudent to designate this role to someone in the organisation given the complexity of the GDPR’s obligations and sanctions for failure to comply.
11. Survey European Operations
If an employer carries out cross-border processing in more than one EU Member State, they will need to determine a lead supervisory authority whose responsibility is detailing with the processing of this cross-border activity. They should be based in the EU State where the employer has their main or central administration.
12. Amend employment contracts and staff policies
Ensure that contracts and handbooks are up to date with particular regard to data protection, recruitment and job references, sickness absence, monitoring of employees and remuneration.
If you have any questions on the above information or what other steps you, as an employer, should be doing to ensure you are GDPR compliant, please contact a member of our team.