GDPR – Issues for Employers
The GDPR will necessitate various changes for employers as regards their employee data collection and processing activities. In particular, employers should be aware of, and prepare for, the following revisions to the current data protection regime.
Restrictions on consent
At present, many employers justify processing personal data on the basis of employee consent, usually contained in the contract of employment. This approach has been criticised because consent may not be freely given due to the power imbalance in the employer-employee relationship.
The GDPR sets out more stringent and detailed conditions for the use of consent - it must be freely given, specific, informed and unambiguous. Consent obtained in the employment contract is unlikely to be effective. Going forwards, employers will generally need to rely on one of the other legal grounds to process personal data, for example that it is necessary to fulfil a contractual or legal obligation.
More detailed privacy notices
Under the GDPR, employers will need to provide more detailed information in their privacy notices, including for how long the data will be stored, if that data will be transferred to other countries, and information on the range of employee rights regarding their data, such as subject access requests, deletion and rectification. This information must be concise, transparent, easily accessible and given in plain language. Employers will need to review current privacy notices and update them to comply with these more detailed requirements.
Data breach notification requirements
The GDPR requires mandatory breach reporting. Where there has been a data breach, the employer will have to notify and provide certain information to the data protection authority within 72 hours. Where the breach poses a high risk to the rights and freedoms of the individuals, those individuals will also have to be notified. Businesses will need to implement a data breach response process and train key personnel to recognise and address data breaches.
Changes to subject access requests
The time limit for responding to a subject access request (previously 40 days) has been reduced to one month (which can be extended up to two additional months where the request is complex). In addition, the £10 fee is to be removed (though employers can request a reasonable fee where the request is manifestly unfounded or excessive). Policies and standard form documents for responding to subject access requests will need to be updated and personnel will need to be trained in the new regime.
Other Data Subject Rights
Employees will have increased rights to have data rectified or deleted and object to certain processing. They will also have a right of data portability (to transfer personal data between data controllers). Employers should ensure relevant personnel understand the rights and implement appropriate procedures for dealing with them.
Relationships with data processors
Employee data will often be processed by third party providers, such as payroll companies or cloud service providers. Data processors will have a duty to comply with the GDPR, with potential liability if they fail to do so. Employers may need to review their contracts with service providers who will be processing employee data and consider imposing stricter requirements and indemnity provisions.
Automated decision making
Employees have the right not to be subjected to automated decision making, for example, for performance management thresholds and triggers for sickness absence and/or attendance bonuses. Employers will need to consider alternative mechanisms for making these decisions.
Businesses will need a business-wide strategy as to how compliance with the GDPR will be achieved and employment data is likely to form a considerable part of that strategy in most businesses Employers will need to comply and demonstrate compliance and this will necessitate having appropriate policies in place, keeping records, and having clear lines of responsibility and training for staff.