General Data Protection Regulation (GDPR) is a law from the European Union that imposes strict rules about personal data as of 25th May 2018. The GDPR states that data controllers are to comply with a set of principles for processing personal data.
The rules are there to protect the private information they hold on individuals who reside in the EU. GDPR replaces a 1995 directive which the UK law is currently based on, and it covers information that if obtained would determine your identity.
Even though the UK has triggered Article 50 and are due to leave the EU on 29th March 2019, the UK have and will continue to implement GDPR. Therefore, the procedures need to be adhered to.
The 8 Data Protection Principles
The GDPR required an individual country to enforce privacy rules. The Data Protection Act is UK legislation, and all members of staff who are responsible for processing personal data must abide by. Personal Data must be:
- Processed fairly and lawfully;
- Obtained only for one or more specified and lawful purposes;
- Relevant, adequate and not excessive;
- Accurate and kept up to date;
- Kept for an appropriate length of time;
- Processed in accordance with the individual's rights under the Act;
- Stored securely;
- Not be transferred to other countries unless there is adequate data protection in place.
What types of data is protected?
This data will include anything personal or confidential that if obtained it can determine a person’s identity. Therefore it is important for an employer to get an understanding of what this includes (but is not limited to) name, email address, photos (this also covers posts from social media), and bank details.
Where does data protection need to start in the workplace?
Data protection needs to be a major consideration for all Companies, ensuring that data is being protected for each member of staff.
The implementation of data protection procedures starts from an initial job application where both electronic and hard copy records are being made of information, which builds a Human Resources file. For example,
- Employment references
- Payroll information
- Tax codes
- Disciplinary action
- Email address
- Employee photograph
However, the protected data relating to employees are likely to be processed differently than to others (for example, clients, suppliers etc.) and the implications for data relating to employees are particularly significant as there will varied types of data. As employees may involve the following:
- CCTV filming
- Data on a computer for logon purposes
- Data on websites that have been visited
- Emails sent and received.
Issues with data in the workplace
Employee information may often come in other forms that are outside the structured hardcopy or electronic form of a HR file. This can create challenges in trying to comply with the principles, or with how a subject access request is handled.
Unstructured data could include the body of an email; as the text may prove to be sensitive or personal data. This information is often outside the scope and abilities of the data controller (the employer).
Duties in the workplace
The Data Controller
This is the person who has and owns the relationship between the individual and the data that is being held (the employer). They are ultimately accountable for ensuring that personal data is protected by enforcing the data protection principles. The data controller must also be able to demonstrate compliance.
Employers are expected to implement a data protection system that is practicable for the Company. Measures must also be taken to ensure that the collection of data is minimal and only when necessary.
The Data Processor
This will be an employee will act on the documented instructions of the data controller, and is only permitted to process this data and to ensure data security. While data controllers are liable to the individual for compliance, data processors still have a duty to comply, and if they fail to act on their instructions, they may be held responsible.
Data Protection Officers
This role will be to advise data controllers and processors of the legal obligations. They will also have to monitor the compliance of protection principles and be the point of contact for the regulator.
Consent is something that will establish a legal basis for the processing of personal data. This is often done through a standard provision in the contract of employment. Consent is to be obtained freely after being fully informed. Consent cannot be established if a person was not given a choice and if the consent provision was included in an employment contract, this might not be effective as the individual has not given consent freely.
The employer will need to gain consent by a written declaration that is a separate document (a privacy notice). This will give the employee information about how the data will be processed. However, consent can be withdrawn by an individual at any time.
Data needs to be processed fairly and lawfully, and there needs to be a concept of transparency. For an employer, this will mean that there is an openness. For example, if a Data Subject Access Request (DSAR) is made, employers will need to demonstrate how they have approached the search.
The information being processed needs to be a legitimate interest of the employer and necessary for the performance of the contract. Under the concept of transparency, an employer will need to be able to explain various aspects of the data including the data source (if not from the employee), a list of potential recipients, and how long the data will be stored for.
Data Subject Access Request and Rights
A data subject refers to the individual that the data relates to, for example, an employee, and they can make a written application for all the personal information about them that is being held. These are rarely exercised within the workplace, but there is a strong chance of an employee exercising the additional rights from the GDPR;
- Right for data to be deleted or forgotten
- Right to rectified where information is inaccurate or incomplete
- Right to the restriction of processing (where the processing was unlawful or inaccurate)
- To object to the processing of your data.
However, an employer can override this objection if there are compelling and legitimate grounds for processing the data.
What is a data protection breach?
A breach will involve a situation where an entity that is outside of the Company has access to personal data without the consent of the individual. This will include sending personal data to the wrong person, and lost or stolen computer devices that contain personal information.
In the event of a breach, GDPR states that a Company must notify the appropriate data protection regulator within 72 hours, and they must also inform the affected individual without delay.
When a breach has occurred, a description of what has happened and the number of people that have been affected will need to be given to both the regulator and the individual. It is also essential that any potential consequences are explained and the proposals on how the breach will be dealt with. It is vital that a record of a data breach is kept.
As of May 2018, failure to comply will result in a fine.
The fine is dependant on the particular infringement and can be very costly. For example, a large business could be ordered to pay up to 4% of its global turnover or 20million Euros, whichever is the greatest. Companies may also incur a further fine for failure to take appropriate measures to comply with GDPR.
What Should Employers Do Now?
- Consider appointing a Data Protection Officer;
- Ensure that you have an up to date privacy notice to obtain employee consent;
- Ensure the data that is being held is done so on legitimate grounds;
- Establish a policy for dealing with a potential breach of data protection;
- Ensure that staff are trained on the importance of data protection and how it affects their job;
- Develop a policy for the storage of data, including emails;
- Identify any areas where change is necessary to avoid a breach.