Preparing for GDPR Six steps UK Human Resources teams should take today

News / / Preparing for GDPR Six steps UK Human Resources teams should take today

Under the GDPR, financial penalties for a data protection breach will become a potentially eye-watering 4 of worldwide turnover or 20 million whichever is the greaternbspIn that environment the importance of making sure your organisation doesn't breach the rules and, if something does go wrong, to stay on the correct side of the ICO by notifying them within the newly mandatory 72 hours cannot be overstatedSo what are the six key steps employers need to take before next May's implementation date1nbspStop relying on data protection consents in your employment contracts (or elsewhere)The GDPR mandates that consent for the processing of personal data, in the absence of reasons otherwise justifying it, must be freely given, informed, specific and explicit'nbspAt the moment many employers have a general catch all data protection consent provision in their employment contracts but it is very doubtful these will be effective going forwardnbspIn itsnbspdraft guidance on GDPR consentnbspthe Information Commissioner's Office (ICO) said hellipnbspif for any reason you cannot offer people a genuine choice over how you use their data, consent will not be an appropriate basis for processing This may be the case if, for example, you are in a position of power over the individual for example if you are a public authoritynbspor an employer processing employee datanbspmy emphasisSo employers cannot rely on employee consents for processing data and will need to look at other justifications for doing sonbspJustifications can be that processing is necessary for the performance of the employment contract, or to protect the legitimate interests' of the employer, or that it is necessary for a specific legal obligation such as the requirement to send employee liability information to a transferee under TUPEnbspMost day-to day HR operations should be covered by these justificationsFar more problematic will the collection of sensitive personal datanbspIf you previously collected data like civil partnership status, health conditions or criminal convictions, you will now have to directly justify why you need this information in order to continue doing sonbspIf the data is not relevant to the role or management of the worker (do you need driving licence details in a desk based job) then you may find it impossible to justify or get a consent to collect itnbspI have seen employers monitor employee weight for workplace health reasons this will not be lawful under the GDPR unless there is a legitimate organisational reason for itWhat to do now Audit the personal data you hold on employees nbspEmployers need to closely examine what employee data they are processing and whynbspIf you don't have one of the legitimate reasons to collect the data (ie have a legitimate interest or legal requirement to do so, or you need to do so in order to properly perform the employment contract) then consider whether you should stop, and delete the unnecessary information you already have, in order to cease your reliance on soon-to-be ineffective employee consents2 Issue Privacy Notices'As a result of the GDPR, employees need to be given far more detailed information about how their personal data is being used by their employersnbspNot only must employers tell their staff why they are holding personal data, they must (amongst much else) also detail the legal basis for doing so, the organisation's data retention policy, and the right of the employee to make a complaint to the ICOnbspFurthermore this information must be given in a manner that is concise, transparent and easily accessibleWhat to do now Prepare straightforward and simple privacy notices to give to employeesnbspnbspSuch a note to all staff, containing the mandatory information, and issued well in advance of the GDPR's implementation next May, will ensure compliance with this new requirement3 Make sure you have procedures in place to immediately notify the ICO of any data breachCurrently there is no express obligation in the UK to notify the ICO in the case of a security breach of human resources data, although the ICO takes the view that it is required in serious casesnbspGoing forward, however, nearly all data breaches must be reported to the ICO within 72 hoursnbspFurthermore, if the breach is likely to effect the rights and freedoms of an employee, then that employee must be notified without undue delayWhat to do now Put in place an action plan to respond to breaches and consider appointing a Data Protection Officer to co-ordinate it (see below)nbspEmployees should not be deterred from reporting breaches, so consider how you will encourage employees to report when, for example, they lose a memory stick on the busnbspIt is more important to know in order to avoid a penalty from the ICO than to discipline the employee although common sense should be applied to serial offenders4nbspBe prepared for more Subject Access RequestsSubject access requests are controversial in employment law because they are frequently used by disgruntled employees (or ex-employees) to fish for information to be used in employment tribunal claimsnbspThis situation is likely to continue and the number of requests increaseThe previous (nominal) deterrent of a 10 fee will be abolishednbspEmployers will have to respond to requests within one month rather than the previous 40 days important in the context of the three-month time limit on most employment tribunal claimsnbspThe GDPR does contain provisions that, theoretically, allow employers to charge a fee, extend the one month time limit for responding, and even not respond at all, but it is almost inevitable that these provisions will be interpreted very narrowly and will not be an escape route for HR teams reluctant to complyWhat to do now More requests means more inconvenience unless your IT systems are able to easily retrieve the personal data sought by the relevant employeenbspA review of systems for retrieving personal data is a must and employers might also consider whether their staff should be able to have access to more of their personal data through online portals making a Subject Access Request unnecessary5 Consider appointing a Data Protection OfficerUnlike Germany, there is no obligation in the UK for employers to have a Data Protection Officer (DPO)nbspUnder the original GDPR proposals, it was envisaged that all large companies would have to have a DPO but that requirement has been scaled back so that only public authorities and organisations that systematically monitor or control large sets of personal data (eg health records) will have to have onenbspEven if an organisation is not required by the GDPR to have a DPO they may like to consider appointing one to show a commitment to comply with the new law, to ensure compliance and give training, draft policies and procedures, to be a point of contact with the IPO and to advise the business on the GDPR generallyWhat to do now Decide whether you should appoint a DPO from within your existing workforce or otherwisenbspIf you decide to recruit internally, determine their training requirements, and what the role will involve, ensuring it does not interfere or create a conflict with their existing tasks6 Be aware of new employee rightsThe so-called right to be forgotten has received a lot of attention in the context of social medianbspIt is unlikely that employees will be able to insist that every single email that mentions them be deleted but where, for example, an expired written disciplinary warning remains on file, the new right to ask employersnbspto delete it, freeze it, correct it' becomes very relevantWhat to do now nbspGet to know the new delete it, freeze it, correct it' data rights available to employees from next may and make sure your systems are capable of responding to them if necessary
Martin Pratt

Martin Pratt Partner

Related news & insights

News / Ince advises Japanese shipowner MOL on Hong Kong's first offshore LNG terminal

02-07-2019 / Maritime, Energy & Infrastructure

2 Julynbsp2019, Singapore - Leading international law firm, Ince, has advised Japanese shipowner, Mitsui OSK Lines (MOL), on the supply of a floating storage and regasification unit (FSRU) to the Hong Kong Offshore LNG terminal project (the Project)

Ince advises Japanese shipowner MOL on Hong Kong's first offshore LNG terminal

News / SPECIAL EDITION Insurance E-Brief

17-05-2019 / Insurance

We're pleased to share with you the seventh edition of The Insurance and Reinsurance Law Review


News / Easy Rent v EasyGroup

22-03-2019 /

Ince Gordon Dadds has successfully represented Easy Rent A Car Limited and George Nesteros (Easy Rent) in an appeal concerning the application of Articles 29 and 30 of the Recast Brussels Regulation (Recast) to proceedings for trade mark infringement and passing off issued in England by EasyGroup Limited (EasyGroup), a month after Easy Rent had commenced proceedings in Cyprus against EasyGroup

News / Ince Co and Blank Rome deliver seminar on US and EU regimes in relation to Iran and Middle East

21-03-2019 /

On Tuesday 19 March, Ince Co teamed up with the leading US sanctions experts, Blank Rome, and delivered a comprehensive sanctions seminar covering both US and EU regimes in relation to Iran and other relevant jurisdictions in the Middle East region

News / Raising capital from real estate sale and leasebacks as an alternative to debt financing

18-03-2019 / Real Estate

This article compares sale and leasebacks and debt financing from the perspective of a corporate occupier seeking to raise capital from their real estate assetsnbsp

Raising capital from real estate sale and leasebacks as an alternative to debt financing

News / Structural defects in the policy wording

26-02-2019 /

A number of buyers, largely buy-to-let investors, discovered defects in their newly-built flats shortly after the purchase They sought to recover the costs of remedying the same from three defendants, including Zurich Insurance Plc (Zurich) (trading as Zurich Building Guarantee (ZBG)) who issued building warranties as Standard 10 Year New Home Structural Defects Insurance Policies The judgment deals with the scope of the cover