It has been almost 20 years since the Data Protection Act (1998) (DPA) was used to implement the EU data protection directive. A great deal has happened over the last 20 years, and the way we now use and share data has changed almost beyond recognition. The existing Act has started to look dated. Member states implemented the EU data protection directive into their domestic law in a variety of ways. This has made data sharing in the EU more complex than it needed to be. To address these concerns, the EU’s General Data Protection Regulation (GDPR) will come into force in all EU countries and the organisations that operate within them from spring next year. Consequently, from 25 May 2018 the GDPR will replace the UK’s DPA. Employers that don’t comply risk a maximum fine of 20 million Euros, or 4 per cent of their annual worldwide turnover, whichever is the greater. However, exemptions apply for SMEs for whom data processing is not a core business activity.
Brexit will have no immediate effect on this. The GDPR will automatically become law in the UK next year. Post Brexit, the European Union (Withdrawal) Bill will transfer all existing EU legislation into domestic UK law. Even if government Ministers used their much discussed Henry VIII powers, the UK will want to keep similar regulations, to ensure the free flow of data with its trading partners. The GDPR is not going away. Employers will continue to process data as ‘data controllers’ and that processing must comply with six general data protection principles, similar to those set out in the DPA. There are, however, significant additions. Whilst ‘sensitive personal data’ will remain, in the GDPR it is referred to as “special categories of personal data”, and will now include genetic and biometric data.
The key issue is that organisations, if they haven’t already started, should begin preparing now, so they can guarantee a smooth changeover to the new legislation. There will be some significant changes for employers and these changes concern:
- subject access requests, and
- automated decision making.
The GDPR will require employers to obtain a higher standard of consent from individuals to their personal data being processed. Currently, employees must give consent freely, specifically and when informed. However, under GDPR the consent must also be clear and positive, and employee must be able to easily withdraw. To process Information in one of the ‘special categories of personal data’, the employee’s consent must be explicit. The current popular practice amongst employers of seeking general consent to data processing as a clause in the contract of employment will no longer be acceptable.
Under the GDPR, employers cannot assume consent. This is because there is a “clear imbalance” between the parties to an employment relationship, so employers should presume an employee has not consented freely. So, consent on its own may no longer provide a legal basis for processing employee data. Consequently, employers should use grounds other than consent to justify the processing of employee personal data. These grounds may include:
- legitimate interests of the business,
- contractual necessity (e.g.: processing payments and running the payroll), and
- necessary for the compliance with a legal obligation (e.g. having to process tax return details with the tax office).
Subject Access Requests
Subject access requests will now become more challenging, Employers will not be able to charge a fee, unless the request is ‘manifestly unfounded or excessive’. ‘Manifestly unfounded or excessive’ is not defined. However, the employer will be required to provide evidence of how they have reached the decision that a Subject Access Request is “manifestly unfounded or excessive”. Employees’ must be able to make requests electronically (e.g. by email). Where a request is made electronically, the information should be provided in a commonly-used electronic form, unless the employee requests otherwise. Employers must respond to these requests within a month, rather than the 40 days allowed under the DPA. However, this may be extended with particularly complex requests. Similar to the current position under the DPA, employers may withhold personal data if disclosing it would ‘adversely affect the rights and freedoms of others’.
Employees and applicants have a right under the GDPR not to be subject to a decision made solely by automated processing where that decision significantly affects them. This includes decisions based on profiling (any form of automated processing to evaluate certain personal aspects of individuals, in particular to analyse or predict indicators such as their performance at work, health, personal preferences, reliability and behaviour). The GDPR requirements regarding automated decision-making mean that employers should incorporate human intervention into automated processes that significantly affect employees unless they are relying on an exception to the rule.
Below are some key points to consider ahead of the GDPR goes live on 28th May 2018:
- Identify other lawful basis rather than consent, for processing employee data N.B. the lawful basis for processing the data will vary depending on the purpose, employers’ should consider each occasion as a separate matter.
- Continue to obtain consent, where consent is required, This will allow employers to rebut the presumption that an employee has not consented freely. Ensure the wording clearly states personal data will not be processed if the organisation does not receive consent.
- Put in place standalone agreements which employees are invited to sign in order to positively affirm their consent.
Subject Access Requests
- Before declining a subject access request as “manifestly unfounded or excessive”, employers should seek to narrow the scope of the request with the employee concerned. As there will be no fee and less time to comply, agreeing to limit the scope will be helpful, even if the employer doesn’t plan to reject a request.
- The regulation provides scope to extend the compliance time limit by a further two months where a request is complex. Employers may want to consider using this provision to extend time for compliance with all but the most basic requests.
- Employers may wish to consider putting in place systems which will allowing employees to access their information easily online. Although this approach is recommended as best practice under the GDPR. Employers will need to be confident that their data is well managed and there are good systems in place in support of data retention and redaction protocols, otherwise it may do more harm than good.
- Employers should reconsider the use of filters which might lead to job applications being disregarded before they are considered by a human being.
- If an employer does use filters, it should ensure that job applicants have the opportunity to opt out of them on an individual basis.
- If the volume of online applications is unmanageable without the use of filters, organisations should consider whether the automated decision making is necessary for entering into, or the performance of, a contract. However, employers will need further guidance from the Information Commissioner’s Office (ICO), or from case law, to be in a better position to know whether reliance on this exception might be justifiable.
The ICO has provided helpful guidance for employers on the GDPR on its website.
2 publications I recommend are:
- Preparing for the General Data Protection Regulation (GDPR) 12 steps to take now
- Overview of the General Data Protection Regulation (GDPR)
This news item was written by Sean McCann, FCIPD, the Managing Director of People Based Solutions an organisation that specialises in supporting small and medium sized businesses in effectively managing their work force and meeting all of their HR obligations. If you want to find out more about how People Based Solutions can help you manage you workforce, keep you employee records accurate and up to date,and meet your obligations under the GDPR click here to get in touch.