Getting ready for the GDPR - 10 things you need to know
The arrival of the General Data Protection Regulation (GDPR) will change the way organisations like yours manage personal data. This could be anything from names or email addresses to more detailed information such as bank details or medical records. Read more...
This legislation comes into effect on 25 May 2018 and will apply in all EU member states. The UK Government has confirmed that the GDPR will be implemented in the UK. As an employer you will need to rethink how personal data is collected, used and kept, from handling recruitment and employer references, to monitoring staff performance and storing records.
Here are 10 things you need to know in order to be ready for the GDPR.
GDPR affects small employers too
This legislation comes into effect on 25 May 2018 and will apply in all EU member states. The UK Government has confirmed that the GDPR will be implemented in the UK. As an employer you will need to rethink how personal data is collected, used and kept, from handling recruitment and employer references, to monitoring staff performance and storing records.
Here are 10 things you need to know in order to be ready for the GDPR.
GDPR affects small employers too
- The GDPR will apply to organisations of all sizes. The fact that your organisation employs just 50 or 100 people doesn’t exempt you. However, not all organisations will be treated the same: employers need to take measures that are appropriate, taking into account a number of factors. If you’re not processing large amounts of data, or are not involved in high risk processing, you won’t be expected to commit as many resources to GDPR compliance as larger or more data intensive operations. There are very limited exemptions in terms of record-keeping requirements for organisations with <250 employees (these do not apply to the processing of sensitive data) but all other requirements of the GDPR apply
- The Data Protection Act 1998 already gives employees the right to make a subject access request in relation to their personal data; under the GDPR, these rights will be extended. For example from 25 May 2018, employees will need to be advised of any recipients of the data located in countries outside of the European Economic Area. They will be entitled to know for how long the data will be stored; of their right to have data corrected or deleted; and of their right to request the restriction of processing. The GDPR will make it easier for people to request details of data held too. Fees can no longer be charged and employers will have to respond within a month. The GDPR does contain protection to prevent abuse of these rights but the principle is clear: employees are entitled to faster and easier access to their data.
- The GDPR specifies the conditions under which it is ok to process data and you need to be sure that at least one applies. ‘Consent’ is one, but the employer/employee relationship means it could be tricky to prove that consent has been freely given so it’s advisable to have at least one other. Processing personal data is often essential to delivery of the employment contract – for example, paying the employee’s salary – so in many cases this will be sufficient. It could be that processing of data is necessary for complying with a legal obligation, and this is an acceptable reason. The pursuit of ‘legitimate interests’ is another, but you will need to show that your actions are necessary (e.g. in connection with a disciplinary investigation) and are not outweighed by the rights of the employee.
- The arrival of the GDPR will bring new protections for potential employees and, with it, new responsibilities for recruiters. For example, you will need to formalise the reasons why data is processed and the period for which it will be retained, and provide this information to applicants. If you intend keeping information ‘on file’ in case similar positions become available, you’ll need their consent to do so. This applies to unsolicited job applications too. The regulation will – with certain exceptions – mean an end to decisions based solely on automated data processing (e.g. automated shortlisting based on qualifications). Even if one of the exceptions does apply, candidates must be advised of the automated decision-making and the employer must put in place certain safeguards.
- The GDPR sets down the rights of individuals to ask that their personal data be erased. Reasons for this could be that it is no longer necessary in relation to the purposes for which it was originally collected; that it was ‘unlawfully’ processed; or that the individual objects to the processing on the basis of a legitimate interest of the employee and there are no overriding legitimate reasons for it to continue. Or the individual could simply withdraw his or her consent in circumstances where there are no other grounds for processing. If the data has been made public, you will also need to inform others that erasure of the data has been requested. There are certain circumstances (e.g. legal obligations or defence of a legal claim) when you would not have to comply with such a request, but processing for any other purposes would have to cease.
- Under the GDPR, employers would be allowed to carry out criminal records checks on prospective employees only if this is specifically authorised by law, for example where a Disclosure and Barring Service check is required for a role involving work with vulnerable adults or children. However, this is an area where the GDPR allows governments to set their own national rules to some extent. Under the proposed new UK data protection law, employers would be able to carry out criminal records checks in more circumstances than allowed under the GDPR. You may be able to carry out a check if it’s necessary for the purposes of performing or exercising employment law obligations or rights, or when the job applicant has consented to the check – provided that the consent meets the strict requirements under the GDPR. If your organisation currently carries out criminal records checks you should keep up to date with developments in this area.
- If your organisation is a public body, your core activities involve large-scale data processing requiring regular monitoring of individuals, or there’s large-scale processing of sensitive personal data or data relating to criminal convictions, then the GDPR is clear: you will need to appoint a Data Protection Officer (DPO). Their job will be to make sure that everyone is aware of their rights and responsibilities, and to monitor compliance. The role can be contracted externally or carried out by a member of staff. The nature of the role is a sensitive one so under the GDPR the position should be independent of influence from the organisation. DPOs are protected from being dismissed or penalised for carrying out their duties.
- If your organisation transfers personal data outside the European Economic Area (EEA), you will need to ensure that adequate protection is provided. Some countries and organisations have already been certified as having the necessary safeguards in place. Companies in the US can sign up to the Privacy Shield framework, which has been approved by the European Commission as meeting the required standards. If no such certification or approval exists, it will still be possible to transfer data outside the EEA as long as appropriate safeguards are provided. This could be through such things as legally binding agreements, between public bodies, binding corporate rules, or arrangements authorised by the relevant supervisory authorities.
- A key requirement of the GDPR is that employees are informed about the processing of personal data you carry out, and this must be formalised in an information notice (aka a ‘privacy’ or ‘fair processing’ notice). This information provided to an employee needs to be significantly more detailed than that provided under the Data Protection Act 1998 and includes, among other things:
- The identity and contact details of the employer
- The purposes – and legal bases – for data processing
- Details of any recipients of the data
- Details of any transfer outside the EEA
- The period for which the data will be stored
- The right of access to data and to request its rectification or erasure
- The right to withdraw consent (when the legal basis for processing is consent)
- The source of the data (if not directly from the employee)
- Compliance with the GDPR is not something to be taken lightly. If, as an employer, you breach your obligations, you could face a fine as high as €20 million or 4% of your organisation’s global turnover – whichever is greater. A number of factors would be taken into account in determining the fine: the nature, gravity and duration of the breach; the damage suffered by individuals; and any action taken by the organisation to mitigate this damage. Other tools available to regulatory agencies include specific compliance orders and a ban on processing personal data.
The contents of this page are for reference purposes only and do not constitute legal advice. Independent legal advice should be sought in relation to any specific legal matter. |