How GDPR will affect your business as an employer
Currently employer’s data protection duties are set out in the Data Protection Act (DPA) 1998. This rules when personal data can be lawfully processed by data controllers. These are the people or bodies who determine the purpose of personal data processing. And how it should be processed.
Please note - the DPA will be replaced by new legislation later this year to accommodate GDPR as well as data protection regulation and law enforcement.
Who will GDPR apply to?
GDPR applies to all companies within the EU that process and hold the personal data of employees or candidates residing in the EU. However, it also applies to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects (namely employees and job applicants).
Key changes GDPR will introduce
1. It will be much harder to rely on consent as a legal basis for processing personal data.
Personal data is any information from which an individual can be identified from. This includes a name, identification number or online identifier. For consent to be valid, it must be freely given. The imbalance of power between an employer and employee makes it difficult to show that the employee’s consent is freely given. You may therefore need to rely on other legal bases for processing personal data.
2. Employers will have one month to respond to Subject Access Requests, starting from the date of receipt, rather than the current 40 calendar day
These are often used by employees who wish to see a copy of the information their employer holds about them.
Employers can extend this period by up to two months where requests are complex or excessive. Employers should also provide the information free of charge, instead of charging the current maximum fee of £10. If the request is clearly unfounded or excessive, a reasonable fee may be charged.
What does your business need to do?
A good place to start is to carry out an audit to identify what personal data you hold about employees and candidates, and where it came from. How and why personal data is processed should be clearly identified. This is to determine whether there’s a lawful basis for processing employees’ personal data.
You’ll also need to have appropriate documentation, including:
- Privacy notice. This informs employees on how and why their personal data will be used in the context of an employment relationship. Under GDPR, you will need to provide employees and job applicants with more detailed information about the data you hold about them. This includes:
- How long data will be stored for
- If data will be transferred to other countries
- Information on the right to have personal data deleted or rectified
- Data protection policy. This is recommended to set out a company’s commitment to handling data under GDPR and data protection law and should normally be included in the employee handbook. However the privacy notice can be used in the policy.
- Data retention policy. While GDPR doesn’t set out specific periods for retaining records relating to employment, it requires that data must not be kept for longer than necessary. Each employer must set its own retention time limits based on legislation and best practice requirements. It’s useful to set this out in a policy.
- Breach policy/procedure. This is important to help ensure compliance with the breach reporting requirements, detailed below.
- Consent form. On the rare occasion where a legal basis for data processing cannot be relied on, it will be necessary to have a separate consent form. It’s important this is worded clearly and relates to the specific data processing.
All public authorities and private companies who regularly monitor or process sensitive data on a large scale as a core activity will need to appoint a data protection officer (DPO). A DPO’s duty is to advise on GDPR obligations, monitor compliance and liaise with the data protection authority.
Breaches and penalties
GDPR imposes a new mandatory breach reporting requirement. Where there’s been a data breach which is likely to “result in a risk for the rights and freedoms of individuals”. You’ll have to notify and provide certain information to the data protection authority within 72 hours. A breach can include a loss or disclosure of personal data. Where the breach poses a high risk to the rights and freedoms of the individuals, those individuals will also have to be notified.
Organisations in breach of GDPR can be fined up to 4% of their annual global turnover or €20 Million (whichever is greater). There’s a tiered approach to fines and the level of fine will depend on the type of breach and any mitigating factors.
If you need any guidance or support in relation to these changes, the employment law specialists at Jelf can help.
This information is provided for the purposes of general interest and is not intended to apply to specific circumstances. Reasonable steps have been taken to check accuracy at the time of writing but we make no representation as to future accuracy. This information does not constitute legal or regulatory advice. We are not qualified to provide, and will not provide, legal or regulatory advice. We recommend that you obtain your own such specific legal or regulatory advice on matters such as GDPR from relevant professional advisers.