Data protection regulation is not everyone’s cup of tea, and by not everyone, I mean most people. This is despite the fact that handling personal information about employees, including often sensitive personal information, is a fundamental part of an employer’s obligations and functions, writes Katie Harris, senior solcitor of Herrington Carmichael.
The Data Protection Act 1998 laid out some basic guidelines about processing personal data, which we should all be broadly familiar with. We know that it’s best to obtain an individual’s consent before processing their data, and many of us are familiar with the dreaded ‘Data Subject Access Request’ (a request by an individual for copies of all data held about them) that might occasionally land on our desks.
Savvy employers will have consent built into their employment contracts, so that it is obtained at commencement of employment. There will often be a ‘Data Protection’ policy in the handbook, and most organisations will have processes in place for dealing with a Data Subject Access Request. However, aside from this, most employers (or HR professionals) will have given data protection little thought.
2018 – the year of change
All that is about to change with the implementation of the new General Data Protection Regulations into the UK with effect from May 25, 2018. Not only do the Regulations introduce some key and important changes to the law, but the penalties for non-compliance are severe.
From May 25, 2018 onwards, fines could be levied of up to 4% of a company’s global annual turnover, or £17 million (whichever is higher) where it is found that a breach has been committed. But potentially more worrying still, the Information Commissioner’s Office (ICO – the regulatory body for data protection) will now have the power to stop entities from processing personal data at all. Imagine if your company is no longer able to process employee data – would it still be able to function, let alone employ people?
So, what are the key changes employers should be aware of? The most important of these (particularly for employers) is the change to the law on consent. Consent must now be ‘freely given, specific, informed and unambiguous’. It’s the ‘freely given’ bit that will potentially give most employers a headache, since the ICO in its most recent guidance has made it clear that this cannot be obtained by including consent in a contract, and has also cast doubt on whether it will be possible to obtain it in an employment context at all, given the natural imbalance in the employer/employee relationship. Employers may no longer be able to rely on consent as the lawful basis on which to process employee information, and could instead have to demonstrate that the processing is either ‘necessary for the pursuit of the employer’s legitimate interests’, or ‘necessary to comply with the employment contract or legal obligation to which it is subject’.
The key word here is ‘necessary’, and this is where it gets difficult. For example, is it necessary to outsource your payroll to an external third-party provider? Probably not, as the payroll could be processed in house. In these circumstances, consent will have to be obtained, but then employers are faced with the difficulty of demonstrating it has been ‘freely given’ by their employees.
The number of changes being introduced by the Regulations are too numerous to deal with in this article, but include new requirements regarding the information that must be given to individuals in privacy notices, a raft of new individual rights such as the right to request deletion of data and the right of data portability (ie the right to transfer or take copies of personal data in an easy to use and accessible format), and strict notification processes to adhere to in the event of a breach.
Importantly, the focus under the Regulations will be on a company’s ability to provide evidence of compliance. A simple statement that the company complies with the law will not be enough. An employer will be expected to demonstrate compliance through evidence of implementation, such as copies of relevant policies, privacy notices, and employee training.
What should you be doing now?
Complying with the Regulations is a multi-faceted, organisation-wide task. Obtaining buy-in from the top down early on in the process is essential. Many companies have established a Regulations ‘task force’ as a way of ensuring compliance throughout the organisation. The starting point is to understand what data you have, and how it is being used. This can be achieved by conducting an audit.
The next step is to identify the lawful basis on which you are processing that data, and then compiling (and implementing) the relevant privacy notices, consent forms and policies. It’s important to engage with a specialist in data protection at an early stage to ensure you get the process right from the start. At Herrington Carmichael, we are assisting clients with building a number of project plans, so that they are fully complaint by the time May 2018 arrives.
In summary, data protection has suddenly become a lot more interesting, and is fast becoming the top of every employer’s agenda. The path to compliance is substantial, and there is a lot of work to be done. Our advice is to start now so that you are in the right place when May 25 arrives.
For more information on this article or any other matter contact our team: