The implementation of the General Data Protection Regulation (GDPR) is widely described as the biggest overhaul of data protection legislation in a generation. To some extent, this understates the significance of the changes in the digital economy since 1998 – the most recent transformation of data protection legislation. The GDPR aims to capture a world of cloud computing, social media, artificial intelligence, Instagram and Bitcoin and the barely imagined changes of the next 20 years. The GDPR imposes obligations on entities controlling and processing data and is intended to enhance an individual's ability to control their own data and restrict its use. The changes will require businesses to overhaul their approach to data and push employers to build data protection safeguards and procedures into all aspects of their operations.
What is the GDPR and how will it apply to the UK?
In January 2012, the European Commission proposed reform of data protection rules across the EU. Four years later, in April 2016, the GDPR was adopted by the European Council and European Parliament, with an implementation date of 25 May 2018.
In order to implement the GDPR and adapt it slightly for the UK, the Government will repeal and replace the Data Protection Act 1998 and introduce a new piece of data protection legislation. As at the date of this article, the Act is in the form of a draft data protection bill (the "Bill") published in September 2017 and is now progressing through Parliament. The Government envisages that the Bill, once implemented, will supplement the GDPR and continue to apply after Brexit.
The most significant and headline-grabbing change introduced by the GDPR is the sizeable increase in fines for non-compliance. Under the current regime, the UK data regulator, the Information Commissioner's Office (the "ICO") can impose fines of up to £500,000, though most fines issued have been considerably lower. Under the new regime, the ICO can issue a fine which is the higher of: (i) 20 million Euros; or (ii) 4% of total worldwide turnover. It is expected that the new regime will pave the way for the ICO to show much more of its teeth after May 2018 and businesses should use the time between now and May 2018 to get their house in order and make sure that they do not become the 'example' for others.
A first step to compliance should be a root and branch audit of how and why data is collected, processed and stored. It is only once a business knows its data that it can identify risks and implement a compliance strategy. While the principles of the current data protection regime will remain broadly similar, the GDPR introduces a number of new concepts to strengthen the rights of individuals in relation to their personal data, along with a new emphasis on demonstrating accountability. Personal data relating to employees is likely to be extensive and it is important that employers and those responsible for HR are aware of the key requirements from an employment perspective. We discuss these in more detail below.
Fair Processing Notices
First, employers as data controllers must provide information, in an intelligible and concise way, to anyone whose personal data they obtain ('data subjects'). This includes:
- the identity and contact details of the data controller;
- the purposes for which the controller processes personal data;
- the existence of the right of data subjects to request access to personal data, the rectification of personal data or the erasure of personal data; and
- the right to lodge a complaint with the ICO.
This information should be relatively easy to standardise and might be provided on an internal webpage or by a standard notice given to employees and applicants at the point of collecting the data. However, subject to some exemptions, controllers will also be required to provide the following specific information:
- the legal basis for the processing (see below);
- how long the data will be stored; and
- information about the categories of recipients.
This is likely to require some thought. For example, the legal basis for the processing may differ depending on the type of data, and the employer may wish to retain certain types of data for longer periods than others. Key to complying with the obligation to provide this information is preparation, including conducting a data audit as mentioned above.
- Consider the form, content and timing of notices;
- Consider and document the lawful basis for processing; and
- Consider retention periods for employment data
Justifying processing and consent
One lawful basis for processing personal data is consent. This remains the case under the GDPR and the Bill. However, consent will be harder to obtain - it must be a freely given, specific, informed and unambiguous indication of the individual’s wishes and there must be some form of clear affirmative action separate from other terms and conditions. There is also a right to withdraw consent, potentially leaving data controllers with no stated basis for processing. As a result, most practitioners are advising against its use.
Helpfully, the other relevant conditions for processing personal data are widely defined and include reasons relating to the performance of, or entry into, a contract, or compliance with a legal obligation. Almost all HR-related activities can fall within these lawful reasons for processing. However, employers need to apply their minds to identifying the reason(s) for the processing in relation to each type of data, and document those reasons.
As with the current regime, the processing of 'sensitive' personal data, such as information relating to health and ethnicity, is treated more restrictively. Express consent remains a valid basis, though the same concerns apply as those expressed above and reliance on consent should be minimised wherever possible. An employer will likely be able to justify processing of sensitive personal data in the employment context on the basis that it is necessary for "the carrying out of obligations or exercising rights in the field of employment as mandated under domestic law". As before, relying on this ground for processing will require the employer to ascertain the reasons for the processing of the data in question and the legal justification for it.
Once an employer has identified the different types of data it holds about individuals and the reasons and legal basis for each type, and decided on the appropriate timing and format, the next step of producing the notice itself should be relatively straightforward.
Data subject access request rights
Employers will be familiar with employees or former employees making data subject access requests (DSARs). The right to make a DSAR will not change but the £10 fee will be removed, and the standard time limit for responding to the request will be reduced from 40 days to one month. Given that many DSARs are extremely time consuming, this reduction will put added pressure on businesses and it is imperative to have proper processes in place to deal with DSARs in a timely manner. The time limit can be extended by a further two months where requests are complex or numerous but the individual has to be informed of the basis for the extension within the original time limit, and it is thought that this extension will be interpreted conservatively. In addition, the GDPR permits an administration fee if the request is "manifestly excessive or unfounded". The ICO has already made it clear that the charging of additional fees should be the exception rather than the norm.
Although the GDPR will not materially change the way in which DSARs are handled, it is likely that, in a climate of heightened focus on data protection, requests will carry more weight because they can be used as a stepping stone to other points of leverage or to shine a light on poor data practices. Ultimately, a fully-compliant employer should not find it difficult to locate and collate personal data and would be confident about its data retention periods. A prudent business might also train its staff to avoid creating personal data unnecessarily and without proper basis (particularly in connection with potentially contentious matters) in order to reduce the scope of the response.
If a business can produce a precise and analytic system to respond to DSARs from the outset it is likely to save itself considerable difficulty in the longer term.
- Be prepared to action DSARs as soon as they are submitted but always consider whether a time extension might be possible; and
- Be aware that the response to a DSAR may expose poor data practices. Know your data.
Right to be forgotten and right of rectification
A data subject will be able to request the erasure or correction of certain personal data as well as being provided with their personal data in a portable format. Practitioners have speculated about the prospects of a disgruntled employee submitting a DSAR and then using the information disclosed to request the deletion or amendment of certain categories of data. This has the potential to represent a significant burden on employers and also open up a range of issues relating to document retention and balancing the interests of staff.
Employer concern in this area may be slightly over-stated. The right to be forgotten and the right of rectification are both caveated rights and will not provide an employee with an automatic right to 'search and destroy' data which is not helpful to them. Nonetheless, the presence of a fair processing notice which indicates the justification for processing and typical duration should be helpful in showing that the employer has turned its mind to the issue. The ICO is likely to be more sympathetic to an employer retaining data for a period of time in accordance with company policy rather than a business which takes a more ad hoc approach to data retention.
- Think about what data should be retained, for example in respect of future employee claims or for the provision of references; and
- Consider how certain information might be deleted. Ensure that adequate control is kept over websites and databases so that selective or partial deletion is possible.
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of personal data. Breaches can be accidental or malicious (such as cybercrime or disgruntled ex-employees). Most frequently, breaches stem from mistakes – a member of staff may leave a laptop on a train, send an e-mail to the wrong recipient or fail to keep passwords secure. If an organisation becomes aware of a personal data breach in relation to data for which it is responsible, it must notify the ICO of the breach within 72 hours. The ICO should be given:
- a description of the nature of the personal data breach including, where possible, the number of data subjects concerned and the categories and number of data records concerned;
- the name and contact details of the data protection officer or other contact point from whom information may be obtained;
- a description of the likely consequences of the breach; and
- a description of the measures taken or proposed to be taken by the controller to address the breach and mitigate risk.
The obligation to report does not apply 'if the personal data breach is unlikely to result in a risk to the rights and freedoms of individuals' (this includes loss of control over data, limitation of rights, reputational damage and other social or economic disadvantages). The best approach to avoid a data breach is to ensure that there are procedures in place to minimise the risk of a breach in the first place and to ensure that, if a breach does take place, the information is protected in such a way as to reduce the risk of it impacting on the rights and freedoms of individuals.
If the data breach is likely to result in a 'high risk to the rights and freedoms of individuals" then the controller must also inform the impacted persons without undue delay and notify them of the nature of the breach and the contact details of someone at the company from whom more information can be obtained. The company will also need to provide details of the breach and the measures which will be taken to limit its impact. In circumstances where sensitive employee or customer details have been lost, this obligation could result in significant logistical and reputational difficulties.
Records must be kept of all breaches and action taken in relation to them – this obligation extends to any breaches that did not have to be reported to the ICO.
Given the short time scales and detail required for reporting, businesses need to have clear policies in place on how to handle a breach, with defined roles and responsibilities for individuals trained to deal with data breaches.
- Anonymise and encrypt data whenever possible and keep systems password protected;
- Determine who will be the primary and secondary 'contact point' in the event of a data breach;
- Implement firm-wide training. Conduct tailored training for staff handling data which is more exposed to a breach;
- Consider imposing an obligation on staff to report actual or suspected data breaches immediately; and
- Produce a 'data leak' response plan which includes the steps which will be followed in the event of a breach. Consider preparing a draft set of template communications to the ICO and impacted stakeholders that can be completed in case of a data breach.
Data Protection Officers
Public bodies and other organisations whose core activities involve regular and large scale monitoring of personal data are required to appoint a data protection officer (DPO). A DPO would inform and advise organisations on their obligations, monitor compliance, provide training and be a point of contact for the ICO and individuals. Regardless of whether the GDPR makes it mandatory to appoint a DPO, a business must still ensure that it has sufficient staff and skills to discharge its obligations under data protection laws. Given the heightened requirements imposed by the GDPR, particularly the obligation to report data leaks, businesses should consider whether it is nevertheless appropriate to appoint a DPO.
- Consider whether the business has a contact point for data issues (whether relating to processing or data leaks); and
- Consider whether it is mandatory to appoint a DPO and if not, whether it would be desirable for the business to do so in any event.
The GDPR imposes significant obligations on businesses, and grants individuals a new batch of rights relating to their personal data. The regime requires that data protection becomes an agenda item for business decisions and that data concerns and data security are embedded into services and relationships from the outset. Given that employers hold considerable data in respect of their staff, the employment relationship should be a good starting point for a new approach to data protection compliance.
How we can help
We have a dedicated team of data protection and reputation management lawyers who work closely with technical experts in our in-house cyber security team to provide your business with:
- Data mapping and risk analysis;
- Implementation and embedding of new data protection policies and procedures;
- Training and awareness for key personnel and the workforce as a whole;
- Data breach planning and reporting; and
- DPO support
For more information on how we can help you get GDPR ready, please contact Sharon Tan or Dominic Boon.