GDPR Your questions answered

25 May 2018 marked the introduction of the new General Data Protection Regulation in the UK in the form of the Data Protection Act 2018 and we have been answering many clients’ HR-related questions on the new legislation. In this article we have collated some frequently-asked questions to help you prepare and deal with some key challenges the GDPR presents.

Can we just rely on employee consent to process their data for employment/payroll purposes as we did under the old Data Protection Act (DPA 1998)?

As an employer you are required to inform your staff of the legal basis under which you will process their data. Relying solely on consent is not advisable under the GDPR because of, amongst other things, of the imbalance of power between an employer and employee – the consent is unlikely to be deemed to be “freely given”.

Rather than consent, the most likely grounds on which you will be able to rely under the GDPR are where processing data is:

  • necessary for the performance of a contract to which the data subject is party; or
  • necessary for compliance with a legal obligation; or
  • necessary for the legitimate interests pursued by the data controller or a third party.

Some activities may have more than one purpose, in which case more than one lawful processing condition may apply. For example, processing data about an employee’s statutory holiday entitlement would be necessary under their employment contract and necessary to comply with a legal obligation to pay statutory holiday.

Employers relying on the “legitimate interests” ground must (as was the case under the DPA 1998) balance their legitimate interests against the interests of the employee and consider whether they are overridden. The “legitimate interests” condition is unlikely to apply if the employee would not expect the processing to take place, or if it would result in unjustified harm.

In some circumstances it will still be appropriate to rely on consent in the HR context – for example where an unsuccessful job applicant consents to you retaining their details in case another job opportunity arises. In that kind of situation the applicant would be viewed as having a genuine choice in the matter and unlikely to suffer negative consequences if they refuse.

Official guidance on the GDPR indicates that it is not going to be acceptable for employers who request consent for data processing to use one of the other lawful bases as a “back-up” if consent is withheld or withdrawn. That means it is vital to identify the correct legal basis for processing the data from the outset.

Do we need to treat occupational health reports and criminal records checks differently in future?

Health-related information comes under the GDPR definition of “special category data” rather than “sensitive personal data” as it was known under the DPA 1998. To process special categories of data lawfully, additional conditions will need to be satisfied. These are set out in the Data Protection Act 2018 and include that the processing is necessary for the performance of employment law rights or obligations. The explicit consent of the employee will also be required, as it is now, for the release of a medical or OH report to the employer.

Data relating to criminal convictions has been carved out for special treatment (it’s no longer going to be considered together with “special categories of data”) but is expected to require the same additional conditions to be met as mentioned above.

How have the rules about subject access requests changed?

The GDPR is intended to provide data subjects with greater control over how their data is processed. The new legislation has removed the ability of data controllers to charge a fee for subject access requests (unless the request is “manifestly unfounded or excessive”) and has shortened the timeframe within which they must be responded to from 40 days under the DPA 1998 to one month. In cases where requests are particularly complex, the deadline can be extended by up to two months.

Under the GDPR, if an individual makes the request electronically, for example via email, you must provide your response in electronic form too (unless otherwise requested by the individual). In practice this might mean providing pdf copies of the documents or providing access to the documents via a secure online file storage system.

Finally, the new rules require you to provide more extensive information as part of your response to a subject access request. This supplementary information should already be in your employee privacy notice and includes what information is held about the applicant, what processing is being carried out, what the relevant data retention period is, and confirmation of their rights to have inaccurate data corrected and to make a complaint to the Information Commissioner.

Does the GDPR change how long we can keep employee records?

No. It was already a requirement under the DPA 1998 to keep personal data “no longer than is necessary for the purposes for which the personal data are processed”. However, the significant financial penalties introduced under the GDPR (see below) might provide an incentive to reconsider the processes you have in place to destroy personal data when it is no longer needed.

We didn’t have the resources to be ready for 25th May – how worried should we be?

Now that the GDPR is in force, you need, at least, to have identified what needs to be done and have put into action a plan to achieve it. For many organisations this will be a work in progress. Although the new rules are enforceable from 25th May, any breach will be considered in the context of arrangements you have in place to make yourselves compliant, including evidence that you have correctly prioritised outstanding tasks.

The ICO has the power to impose fines of up to €20m or 4% of annual turnover (whichever is greater) on employers who do not process employee data lawfully and fairly, or who do not provide employees with the required information. However, fines will be proportionate to the breach and the harm caused. The ICO have said that it will reserve its powers for those organisations who “choose not to cooperate, or show deliberate disregard for the law”.

Can Hempsons give me a suite of documents and forms to fill in to make us GDPR compliant?

We can help you to draft compliant documents but GDPR compliance is unique to every organisation and involves cultural changes that will continue long after it comes into force. Even privacy notices need to be tailored to take account of the specific information employers hold and how they handle it.

The Employment newsbrief is available in full here.

NewsView all

  • Can a disability account for bad behaviour?

    The recent Employment Tribunal decision of Wheeley v University Hospitals Birmingham NHS Foundation Trust serves as a timely reminder that where conduct issues are said to arise from an underlying mental health condition employers should be cautious of departing from medical opinion.

    Continue reading
  • GDPR – The Final Countdown!

    GDPR - The Final Countdown! Are you ready for 25th May 2018? Make sure you don’t get caught out and seek legal advice to ensure your policies and procedures are robust and that your staff know and understand the new rules.

    Continue reading
  • GDPR – are you ready?

    Keeping confidential information about staff and patients secure is a responsibility NHS organisations have taken seriously for a long time. But the requirements on them are about to increase. From May 2018, organisations will need to comply with the General Data Protection Regulation (GDPR), an EU regulation.

    Continue reading
  • GDPR How it affects health and social care businesses

    Keeping confidential information about staff and patients secure is a responsibility businesses operating in the health and social care sectors have taken seriously for a long time. But the requirements are about to increase. From May 2018, organisations will need to comply with the General Data Protection Regulation (GDPR), an EU regulation.

    Continue reading
  • Hincks v Sense Network

    It is commonly accepted that when a person applies for a job, they will usually be asked to provide a reference from their previous employer. By the same token, employers are usually willing to provide a reference for an employee leaving their employment and doing so is standard practice.

    Continue reading
  • Is your dental practice ready for GDPR?

    The current law governing the use of personal data in the UK is the Data Protection Act 1998 (“DPA”). The law will change on 25 May 2018 when the European General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) will come into effect.

    Continue reading
  • Reilly v Sandwell Metropolitan Borough Council (2018)

    Would it be fair to dismiss an employee if they had failed to disclose a relationship with a person convicted of serious criminal offence (even if this was not necessarily a breach of an express term of the employee’s contract)? This question was addressed by the Supreme Court in the case of Reilly v Sandwell Metropolitan Borough Council (2018) UKSC 16. The Supreme Court also considered the standard approach to the reasonableness of a dismissal, the Burchell test.

    Continue reading
  • Update – Tax changes to termination payments

    Back in the 2016 Budget, the government announced that from April 2018, it would “reform and simplify” the taxation of termination payments. Following a technical consultation, the reforms expanded and now aim to "clarify and tighten" (i.e. increase) the taxation of such payments.

    Continue reading
  • What are your obligations with The General Data Protection Regulation (GDPR) – are you going to be ready?

    Certain types of personal data must be treated with particular care due to the sensitive nature of that personal data. This is of course common sense. ‘Health’ comes under what the ICO (Information Commissioner’s Office) calls the ‘special category’, making it a mandatory obligation to comply with the GDPR and more especially if you work in the health professional field.

    Continue reading