GDPR Your questions answered
25 May 2018 marked the introduction of the new General Data Protection Regulation in the UK in the form of the Data Protection Act 2018 and we have been answering many clients’ HR-related questions on the new legislation. In this article we have collated some frequently-asked questions to help you prepare and deal with some key challenges the GDPR presents.
Can we just rely on employee consent to process their data for employment/payroll purposes as we did under the old Data Protection Act (DPA 1998)?
As an employer you are required to inform your staff of the legal basis under which you will process their data. Relying solely on consent is not advisable under the GDPR because of, amongst other things, of the imbalance of power between an employer and employee – the consent is unlikely to be deemed to be “freely given”.
Rather than consent, the most likely grounds on which you will be able to rely under the GDPR are where processing data is:
- necessary for the performance of a contract to which the data subject is party; or
- necessary for compliance with a legal obligation; or
- necessary for the legitimate interests pursued by the data controller or a third party.
Some activities may have more than one purpose, in which case more than one lawful processing condition may apply. For example, processing data about an employee’s statutory holiday entitlement would be necessary under their employment contract and necessary to comply with a legal obligation to pay statutory holiday.
Employers relying on the “legitimate interests” ground must (as was the case under the DPA 1998) balance their legitimate interests against the interests of the employee and consider whether they are overridden. The “legitimate interests” condition is unlikely to apply if the employee would not expect the processing to take place, or if it would result in unjustified harm.
In some circumstances it will still be appropriate to rely on consent in the HR context – for example where an unsuccessful job applicant consents to you retaining their details in case another job opportunity arises. In that kind of situation the applicant would be viewed as having a genuine choice in the matter and unlikely to suffer negative consequences if they refuse.
Official guidance on the GDPR indicates that it is not going to be acceptable for employers who request consent for data processing to use one of the other lawful bases as a “back-up” if consent is withheld or withdrawn. That means it is vital to identify the correct legal basis for processing the data from the outset.
Do we need to treat occupational health reports and criminal records checks differently in future?
Health-related information comes under the GDPR definition of “special category data” rather than “sensitive personal data” as it was known under the DPA 1998. To process special categories of data lawfully, additional conditions will need to be satisfied. These are set out in the Data Protection Act 2018 and include that the processing is necessary for the performance of employment law rights or obligations. The explicit consent of the employee will also be required, as it is now, for the release of a medical or OH report to the employer.
Data relating to criminal convictions has been carved out for special treatment (it’s no longer going to be considered together with “special categories of data”) but is expected to require the same additional conditions to be met as mentioned above.
How have the rules about subject access requests changed?
The GDPR is intended to provide data subjects with greater control over how their data is processed. The new legislation has removed the ability of data controllers to charge a fee for subject access requests (unless the request is “manifestly unfounded or excessive”) and has shortened the timeframe within which they must be responded to from 40 days under the DPA 1998 to one month. In cases where requests are particularly complex, the deadline can be extended by up to two months.
Under the GDPR, if an individual makes the request electronically, for example via email, you must provide your response in electronic form too (unless otherwise requested by the individual). In practice this might mean providing pdf copies of the documents or providing access to the documents via a secure online file storage system.
Finally, the new rules require you to provide more extensive information as part of your response to a subject access request. This supplementary information should already be in your employee privacy notice and includes what information is held about the applicant, what processing is being carried out, what the relevant data retention period is, and confirmation of their rights to have inaccurate data corrected and to make a complaint to the Information Commissioner.
Does the GDPR change how long we can keep employee records?
No. It was already a requirement under the DPA 1998 to keep personal data “no longer than is necessary for the purposes for which the personal data are processed”. However, the significant financial penalties introduced under the GDPR (see below) might provide an incentive to reconsider the processes you have in place to destroy personal data when it is no longer needed.
We didn’t have the resources to be ready for 25th May – how worried should we be?
Now that the GDPR is in force, you need, at least, to have identified what needs to be done and have put into action a plan to achieve it. For many organisations this will be a work in progress. Although the new rules are enforceable from 25th May, any breach will be considered in the context of arrangements you have in place to make yourselves compliant, including evidence that you have correctly prioritised outstanding tasks.
The ICO has the power to impose fines of up to €20m or 4% of annual turnover (whichever is greater) on employers who do not process employee data lawfully and fairly, or who do not provide employees with the required information. However, fines will be proportionate to the breach and the harm caused. The ICO have said that it will reserve its powers for those organisations who “choose not to cooperate, or show deliberate disregard for the law”.
Can Hempsons give me a suite of documents and forms to fill in to make us GDPR compliant?
We can help you to draft compliant documents but GDPR compliance is unique to every organisation and involves cultural changes that will continue long after it comes into force. Even privacy notices need to be tailored to take account of the specific information employers hold and how they handle it.
The Employment newsbrief is available in full here.