The UK’s Data protection rules changed with the introduction of the EU’s General Data Protection Regulation (GDPR) on 25th May 2018. The new regulations meant significant changes to how organisations process data, with new restrictions meaning greater penalties for failing to meet data protection regulations. GDPR has had a serious impact on how your data is processed and stored – and not just for employees but also for contractors and job applicants.
Breaching the law could subject a company to significant fines of up to €20 million, or 4% of an organisations’ global annual turnover, whichever is higher.
The major changes that GDPR have on HR information are:
- Data protection by design and default – A new approach to data that requires organisations to embed privacy considerations in both operational and strategic HR practices. Employers need to ensure that only personal data necessary for each specific purpose is processed. This includes ensuring that:
- only the minimum amount of personal data is collected and processed for a specific purpose;
• the extent of processing is limited to that necessary for each purpose;
• personal data is stored for no longer than necessary; and
• access to the data is restricted to that necessary for each purpose.
- Processing by consent – Many employers currently process your personal data based on consent. This approach has been increasingly criticised, as the validity of employee consent is questionable due to the imbalance of power in an employment relationship. Under GDPR consent must be “freely given, informed, specific and explicit”. Where your employer obtains consent in a written declaration that also concerns other matters, the request for consent must be presented in a manner that is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. This means that broad consents in employment contracts to process your data will not be valid. Further, the requirement that consent be freely given means that valid consent will generally be difficult to obtain in the employment context due to the imbalance of power.
- Legal basis for processing – There is a greater focus on the legal basis for processing personal data under the GDPR. As processing employee data on the basis of consent will be problematic, employers will need to rely on other grounds, including that processing is necessary for:
- compliance with a legal obligation;
• the performance of a contract; or
• the purposes of the legitimate interests of the employer or a third party.
If you were to object to processing based on legitimate interests, your employer cannot process the data unless it shows that its legitimate interests are sufficiently compelling to override your interests or rights, or that the purpose of processing is to establish or defend legal claims.
- Information for employees and job applicants – Under the GDPR, employers are required to provide more detailed information than under the Data Protection Act 1998 to employees and job applicants about the processing of their personal data. Under GDPR, information that employers must provide includes:
- the identity and contact details of the employer as a data controller;
• the data protection officer’s (DPO) contact details (if the organisation has a DPO);
• the purposes for which the data will be processed and the legal bases for processing, including, if relevant, the legitimate interests relied on;
• the categories of personal data to be processed;
• the recipients of the data;
• any transfer of the data outside the European Economic Area (EEA);
• the period of storage;
• the rights of data subjects, including the right to access, rectify and require erasure of data, the ability to withdraw consent or to object to processing, and the right to lodge a complaint with the supervisory authority;
• the consequences for the data subject of failing to provide data necessary to enter into a contract; and
• the existence of any automated decision-making and profiling, and the consequences for the data subject.
Employers must provide the information at the point of data collection. Where an employer wishes to process existing data for a new purpose, it must inform employees or job applicants of that further processing.
- Data subject access requests – You have an existing right under the Data Protection Act 1998 to obtain from your employer (or former employer):
- confirmation as to whether or not your personal data is being processed;
• information on your data, including the purpose of processing, categories of data collected and the recipients of such data; and
• a copy of the data being processed.
Under the GDPR, employers must provide the requested information within one month of the request (three months in the case of complex requests), and free of charge unless the request is manifestly unfounded or excessive. The GDPR places much more rigorous obligations on employers to ensure that there are systems in place to ensure that they comply with access rights, with particular emphasis placed on the clarity, transparency and accessibility of such systems.
- Accountability principle – One of the biggest changes under the GDPR is the new principle of accountability; the GDPR requires employers to demonstrate compliance with the data protection principles. This will mean enhanced obligations for employers, including a requirement to keep extensive internal records of data processing operations, which must be produced to the supervisory authority for inspection on request. Employers should create a data register to meet their record-keeping requirements. This should be an up-to-date written record containing information about all personal data processed by the organisation.
- Automated decision-making – You have a right under the GDPR not to be subject to a decision made solely by automated processing where a decision significantly affects you. This includes decisions based on profiling (any form of automated processing to evaluate certain personal aspects of individuals, in particular to analyse or predict indicators such as your performance at work, health, personal preferences, reliability and behaviour). The GDPR requirements regarding automated decision-making mean that employers should incorporate human intervention into automated processes that significantly affect employees unless they are relying on an exception to the rule.
Lots to think about but the good news is we are employment law experts – so you don’t have to be. If you have further questions on this, or any aspects of your employment, chat to our HR experts today.