Getting to grips with the new data protection law.
The General Data Protection Regulation will change the way employers approach automated decision making in recruitment, respond to subject access requests, and obtain consent from employees to their personal data being processed. The EU’s General Data Protection Regulation (GDPR) will come into force on 25 May 2018, replacing the UK’s Data Protection Act 1998.
The Data Protection Act was implemented nearly 20 years ago. Since then technology has moved on dramatically and the ways in which we use and share data have changed so much that the existing rules are more than outdated. Additionally, EU member states have imposed the legislation in a variety of ways, which makes cross-border data sharing within the EU more complex than it needs to be.
The GDPR aims to address these concerns and will apply directly to all EU countries and the organisations that operate within them from May next year.
Will Brexit have an impact on this forthcoming EU legislation?
Ignoring the new legislation is not an option. The GDPR will automatically become law in the UK next year, and the UK government has made clear that it will comply.
Even after Brexit, the UK will want to keep the new regulation, or something similar to it, to ensure the free flow of data with its trading partners. The fines for employers that don’t comply are hefty, with a maximum fine of 20 million Euros, or 4 per cent of the organisation’s annual worldwide turnover, whichever is the greater.
What will stay the same?
The core rules of the Data Protection Act will remain. Employers will continue to process data as ‘data controllers’ and that processing must comply with six general data protection principles similar to those set out in the current Act (currently there are eight data protection principles.
However, there are going to be significant additions. The concept of ‘sensitive personal data’ also remains but will now be referred to as “special categories of personal data”. It has also been expanded to include genetic and biometric data.
Other key concepts will continue but will look different under the GDPR.
What is changing?
For employers and HR professionals, the key changes connected with the GDPR concern consent, subject access requests, and automated decision making. The challenges presented by these changes are certainly not insurmountable, but the key is that organisations should begin preparing for them now to ensure a smooth transition to the new regime.
The GDPR will require employers to obtain a higher standard of consent from individuals to their personal data being processed. Employees must give consent freely, specifically and when informed (no change here), but the consent must also be unambiguous and affirmative, and those giving it must be able to withdraw it easily. Where information falls into one of the ‘special categories of personal data’, that consent must also be explicit.
The general consent to data processing, commonly used in employment contracts, is going to have to change.
At Commissioning HR we are already planning on the new wording for our employment contracts. We will be issuing this new wording to existing clients who have taken our employment contracts in due course.
The regulation also states that an employer cannot rely on consent when processing data. This is because there is a “clear imbalance” between the parties to an employment relationship, so employers should presume an employee has not consented freely. So, consent on its own may no longer provide a legal basis for processing employee data.
Key practical points
- Organisations should consider using another lawful basis for processing employee data (for example, performance of an employment contract, the legitimate interest of the business, or for public sector employers, performance of a public task).
- The lawful basis for processing the data will vary depending on the purpose – an employer should consider each occasion as a separate matter.
- Organisations should continue to obtain consent. To tackle the presumption that an employee has not consented freely, employers should ensure the wording clearly states personal data will not be processed if the organisation does not receive consent.
- Employers should put in place standalone agreements which employees are invited to sign in order to positively affirm their consent.
Commissioning HR will be providing consent agreements to our clients.
Subject access requests
Employers now receive an increasing number of subject access requests, with some sectors such as those with public responsibilities receiving a considerable amount.
The GDPR presented an opportunity to ban subject access requests that were nothing more than a ‘fishing exercise’. However, this has not happened, so the current case law on this issue will continue to apply.
The regulation is though, a new opportunity for employers to refuse to comply with requests which are "manifestly unfounded or excessive", although there is currently no guidance on what this phrase means.
The regulation will make subject access requests more challenging for employers to deal with. Except in certain circumstances, an employer cannot levy a charge for complying with a request (currently a fee of not more than £10 can apply), and will have to comply within one month, rather than the current 40 days. This can be a significant resource issue for many organisations.
Key practical points
- Before rejecting a subject access request as "manifestly unfounded or excessive", HR professionals should seek to narrow the scope with the employee concerned. They should consider this even where they don’t plan to reject a request, given there will be no fee and less time in which to comply.
- The regulation provides scope to extend the compliance time limit by a further two months where a request is complex. HR professionals might wish to use this provision to extend time for compliance with all but the most basic requests.
- Larger employers, and those who receive high numbers of subject access requests, should consider the logistics of dealing with requests more quickly and, where appropriate, consider whether the organisation can change the internal infrastructure to facilitate this.
- Organisations could also consider putting in place systems allowing individuals to access their information easily online – this is recommended as best practice under the GDPR. However, employers may find it does more harm than good to have this information readily available and should think carefully before going down this route.
The regulation introduces a new right for individuals not to be subject to decisions based solely on automated processing that have a damaging impact on them, whether legally or otherwise. Such decisions should have human intervention. Employers are most likely to face this issue when using online recruitment.
Key practical points
- Employers should reconsider the use of filters which might lead to job applications being disregarded before they are considered by a human being.
- If an employer does use filters, it should ensure that job applicants have the opportunity to opt out of them on an individual basis.
- If the volume of online applications is unmanageable without the use of filters, organisations should consider whether the automated decision making is necessary for entering into, or the performance of, a contract, because this is an exception to the right. Employers will need further guidance from the Information Commissioner's Office (ICO), or from case law, to be in a better position to know whether reliance on this exception might be justifiable.
Further Guidance on GDPR
The ICO has provided helpful guidance for employers on the GDPR on its website. ‘Guidance: what to expect and when’, provides access to an ICO note on ‘Preparing for the GDPR: 12 steps to take now’(pdf) on the key actions data controllers should take to prepare for the new rules.
More detailed guidance,‘Overview of the GDPR’, sets out how data protection law will change when the GDPR comes into force.
There is also specific guidance on consent - ‘draft consent guidance for public consultation’ - which contains a useful checklist. The ICO is due to publish a revised version of this guidance later this summer.
Commissioning HR will update their Data Protection Policy to reflect the changes under GDPR in line with the new legislation.
Contact us now to request your copy of the policy when it is ready for issuing.
This article has been adapted from a legal round up published by the CIPD and written by Victoria Albon, an employment associate at law firm Dentons.