Processing data in 2018: An Overview for Employers

But what about Brexit?

Brexit-Smexit.  The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR in the UK.  The UK’s Information Commissioner’s Office (“ICO”) has commented that leaving the EU should not distract us all from the importance of compliance with the new regime.

What are the main implications of the GDPR for employers?

• Data subjects will have new rights including:
  • The right to object to processing of their personal data.
  • The right to withdraw their consent to particular processing at any time (where the employer is relying on consent).
  • The right to require erasure of personal data the business holds on them for a particular processing purpose or where that data is no longer necessary.
  • The right to require that inaccurate or incomplete data be corrected.
  • The right to more extensive information: to be told in a plain, concise and accessible way the basis for processing their data, its recipients and how long it will be stored; whether their data is transferred to non-EU countries; and the existence of the above rights.
• Shortening of data subject access request deadlines. Response deadlines will be within one month of the date of receiving the request, so employers will need to act quickly to search and collate data. Employees will also be able to make requests free of charge.  Helpfully, an employer will be able charge for, or even refuse, manifestly unfounded or excessive requests, although they will need good grounds to do so.
• Obtaining broad consent to process personal data will be more risky. If relying on employee consent as the basis for processing their data, the business will need to be able to demonstrate that the data subject gave their consent and is aware of each of the particular purposes for which that consent was given. Relying on a data protection clause in your employment contracts as ‘consent’ will not cut it; the request for consent must be clearly distinguishable from the other matters.
• Beware cross-border employers – GDPR has a broad territorial scope. Many non-EU businesses that were not required to comply with previous EU data laws will be required to comply with the GDPR.  For example, if a US parent is processing data about a US employee on a system stored in the UK or elsewhere in the EU, the GDPR will be triggered.
• It’s up to the business to demonstrate compliance. Companies with 250 plus employees or which carry out high risk processing will need to keep detailed records of their processing activities and some are required to appoint a data protection officer.  There will be strict 72 hour reporting requirements in the event of breaches, subject to certain exceptions.
• The maximum fines for breach are eye-watering. The ICO will have increased enforcement powers and will be able to impose fines for:
  • breaches involving internal record keeping, data security and breach notification, data protection officers, data processor contracts: up to 2% of annual worldwide turnover of the preceding financial year or up to 10 million euros, whichever is higher; and
  • breaches of data protection principles, conditions for consent, data subject rights and international data transfers: up to 4% of annual worldwide turnover of the preceding financial year or up to 20 million euros, whichever is higher.

It is expected that 4% fines will be issued in the rarest of circumstances and it is hoped that the ICO will continue to be proportionate in its approach to enforcement in the UK.  Nevertheless, even a 2%/10 million euro fine represents a gigantic leap from the UK’s current maximum fine of £500,000.   Also, it is assumed that annual turnover will be assessed on group revenues, not solely on the revenue of the specific group company in breach.

Why is it important?

• The GDPR does not contain any official ‘get outs’ from compliance for smaller companies, although SMEs may take comfort in the fact that the ICO’s focus is likely to be on making an example out of well-known names and brands to encourage compliance by others.
• Data subject access request issues are already one of the main sources of complaints to the ICO. The GDPR could lead to an increase in employees using subject access requests and threats of data breaches as leverage for current or anticipated litigation.  Employees will not need to prove that they have suffered any financial loss from any data breach, just that the data controller/processer is in breach of the GDPR.

What steps should the business be taking to prepare for the GDPR

Whilst implementation is over a year away, as a business can hold volumes of staff personal data from a variety of sources – CCTV footage, emails, instant messaging, recorded calls, etc. – the business will need to start considering how to prepare for the gear change in the UK data protection regime.

• Audit and document what types of information are held on staff, how and why it is processed, where it is shared and where it is stored (including deleted information) and how processing can be minimised to manage risk.
• Review data protection ‘fair processing notices’ to include all the additional information that employees will be entitled to receive in respect of their rights.
• Review and/or create easily accessible and understandable data protection policies as to how the business deals with staff data – a useful paper trail for compliance.
• Review consent mechanisms to establish whether the business would be able to demonstrate that an individual has actively given their unambiguous consent for the business to process their personal data for a particular reason. Consider including data protection provisions in employment contracts with separate signatory boxes.

For more information, please contact a member of our Employment team.