Unless you have been living under a rock, you will undoubtedly be aware that the new The EU General Data Protection Regulation (“GDPR”) came into force on 25 May 2018.
The tidal wave of update notices and consent emails flooding into our inboxes has now subsided, but dealing with the implications of GDPR and all it involves is now part of everyday life for businesses across the UK.
For many, procedures and processes around GDPR are still being reviewed and implemented and whilst the 25 May go-live date has passed, it is vital for businesses of all sizes to take a moment to check their responsibilities are being fulfilled. As a quick reminder, the GDPR broadens the reach of current legislation and introduces new rights.
Key rights of the individual include;
• Right of access
• Right to rectification
• Right to erasure (“right to be forgotten”)
• Right to restrict processing
• Right to data portability
• Right to object
Key questions to ask yourself (and your business) will be:
Have you assessed the risk? Most businesses will now be accountable for measuring the level of risk that processing data has on data subjects. This may require the appointment of a data protection officer. Data protection impact assessments must be performed prior to any data processing if that processing could cause a high risk to the data subjects.
Can you demonstrate compliance? How you do this depends largely on the size and nature of your business but, as a minimum, you should maintain documentation such as records of internal audits of data processing activities and reviews of internal HR policies. Employers must be able to show that the policies and procedures have been implemented.
Are you using Consent as the lawful basis of processing? If so, this must be freely given, specific, informed and unambiguous. There must be some form of clear affirmative action – a positive opt-in. Consent must be separate from other terms and conditions, and simple ways must be provided for people to withdraw consent.
Have you had a Data Breach? If so, you must notify your supervisory authority within 72 hours of a data breach - unless it is unlikely to create risk to the subject. This applies to all data breaches except those which are unlikely to cause harm to affected employees or other individuals. Employers need to implement a data breach procedure and ensure that relevant staff are trained on how to deal with such breaches given the timescales for reporting a breach.
There are additional responsibilities in relation to GDPR and the management of data as an employer. The most important questions regarding GDPR from an employment perspective include:
How you collect consent, and is it freely given? Many employers currently rely on an employee giving their consent as part of the employment contract. However, consent obtained in the employment contract is unlikely to be effective given that employees may not have a choice about signing their contract. Consider whether you can rely on other grounds to justify processing the data of your employees. Don’t forget, employees should be able to withdraw their consent to processing as easily as they are able to give it.
How can employees be ‘forgotten’? Employees have the ‘right to be forgotten’. This means they can require their employer to delete all of their personal data in certain circumstances. Consider how such requests will be managed and whether your current systems are adequate to respond to such requests.
How will data be ported? Employees have a new data portability right which will allow them to request that certain personal data is transferred directly to a third party. How will such requests be managed?
Do you have adequate privacy notices in place? Employees and job applicants must be provided with certain information when their data is collected, often known as a privacy notice. Privacy notices should be carefully drafted to ensure that the employer has sufficient flexibility to process employee and job applicant data as required by the business.
Who are the data processors? Employee data is often processed by third party providers such as payroll companies. The GDPR imposes more onerous obligations relating to the use of data processors. You need to understand the new rules and ensure that your arrangements are GDPR compliant.
Taylor Walton is running a workshop “Life after GDPR” to discuss all of these issues and more at Beales Hotel, Hatfield on 20 September from 4pm to 6pm. To register your place for this interactive event, please email firstname.lastname@example.org