Will Walsh from RB’s Employment Team gives an overview of the urgent action points that employers need to take before the General Data Protection Regulation (GDPR) comes into force on 25th May 2018.
The penalties for failing to comply with the GDPR can be very severe, with fines of up to €20 million or, if greater, 4% of group turnover. Although the changes don’t come into effect until next year, your business will have to undergo a huge number of changes. The key areas employers need to look at as soon as possible will be as follows:
Identify all existing personal data processing systems
The starting point for all employers will be to carry out an audit of all data processing they do. Processing includes obtaining, holding, recording, using, disclosing or erasing any personal data. Personal data is any information that identifies an employee. Employers need to know what types of data they process, who it relates to and the systems they use to process that data.
Using consent to process data
Under existing data protection law, there are a number of different grounds an employer can use for processing personal data and the most commonly used is consent. Many employers include a standard clause in employment contracts, confirming that by signing the agreement, the employee gives consent to their personal data being processed. The list of lawful grounds for processing data is similar under the new law, however there will be severe restrictions on an employer’s ability to use consent as a reason for processing data.
Consent must be given entirely freely and those who give consent have the right to withdraw that consent. If included in an employment contract, the consent will not be given freely as it is bundled together with the other terms and in most cases, an employee will have little bargaining power to ask for their consent to be removed from a contract.
Further, if an employee gave consent and then withdrew that consent, the employer would be prevented from processing any data for that employee. If the employer tried to choose a different ground for processing data in the event that consent was withdrawn, that in itself would demonstrate that the initial request for consent was not genuine.
Therefore employers should check contracts and other employment documents to see where they have asked for consent to data processing. Where consent has been requested, employers must consider whether they genuinely need consent as the reason for processing data, or whether they should rely on one of the other grounds for processing that data. It will be rare that consent is the only reason that an employer can use for any particular processing activity, in which case consent should not be used.
Prepare fair processing notices
Employers must provide full information on the legal basis for processing each different type of data, and provide this to employees and job applicants in respect of any of their personal data being processed. The notice must be in plain language, concise and specific. It must detail the source of the data, who will receive it, the period for which it will be stored, the legitimate ground on which the employer is relying to process the data and the rights of the individual.
Review data protection policies and employee handbooks
It will no longer be sufficient to comply with data protection law, employers will also be required to demonstrate compliance. As employers will need to be much more transparent and specific about data processing, it is highly unlikely that current data protection policies will be fit for purpose. Going forward, policies should be substantial and detailed documents, covering all types of data processing and the particular information, rules and requirements relating to each.
Prepare a data breach response plan
The GDPR requires mandatory breach reporting. For example, if an employee loses a portable device storing data about other employees, customers, suppliers or any other individual, the employer will need to notify the regulator within 72 hours. Therefore it is critical that all employees understand what they need to do if there is an issue, and what steps will be taken to ensure that the notification is made on time.
Ensuring compliance by data processors
Employers will often pass employee data to third parties, such as payroll companies, pension providers or medical insurance companies. In these circumstances, the employer may be classified as a “data controller” and the third party with be the “data processor”. The rules on the use of data processors will become stricter, employers will need to ensure that data passed to processors is handled correctly and, as the processors themselves will have a number of liabilities, they will require clearer information and stricter requirements from employers.
Staff training
A large amount of data will be handled by the employees themselves, often in an unstructured manner. For example, any email received will contain personal data about the sender and the recipient and, quite often, third parties. This may include special categories of data that have even stricter rules, for example details about health. Employers will still be responsible for how this data is processed.
In order to comply, and indeed demonstrate compliance, training should be given to all employees on their responsibilities and the employer’s requirements in respect of each category of data that might be processed.
How RB can help
We offer a checklist that allows you to understand exactly what changes your business will need to undergo to comply with the new GDPR. For a copy of our checklist, or if you would like to understand more about what you need to do to comply with the GDPR, or would like help with the preparation of your data protection policies, contracts, fair processing notices or a data protection audit for your business, please email Will Walsh on wwalsh@rawlisonbutler.com or call 01293 558540.