The EU’s General Data Protection Regulation (GDPR) will come into force on 25 May 2018, replacing the UK’s Data Protection Act 1998.
The Act implemented the EU data protection directive nearly 20 years ago. Since then, the ways in which we use and share data have changed so much that the existing rules are somewhat archaic. Also, EU member states have imposed the legislation in a variety of ways, which makes cross-border data sharing within the EU more complex than it needs to be. The GDPR aims to address these concerns and will apply directly to all EU countries and the organisations that operate within them from spring next year.
Will Brexit make a difference?
Organisations might wonder if they can ignore the new legislation, given its purpose and that it is an EU law. This is not an option. The GDPR will automatically become law in the UK next year, and the UK government has made clear that it will comply. Even after Brexit, the UK will want to keep the new regulation, or something similar to it, to ensure the free flow of data with its trading partners. Employers that don’t comply risk a maximum fine of 20 million Euros, or 4 per cent of their annual worldwide turnover, whichever is the greater sum. The GDPR is not going away.
What is staying the same?
The core rules of the Data Protection Act will remain. In particular, employers will continue to process data as ‘data controllers’ and that processing must comply with six general data protection principles similar to those set out in the Act, although there are significant additions. The concept of ‘sensitive personal data’ also remains, although the GDPR refers to it as “special categories of personal data”, and the concept has been expanded to include genetic and biometric data. Other key concepts will continue but will look different under the GDPR.
What is changing?
For employers and HR, the key changes connected with the GDPR concern consent, subject access requests, and automated decision making. The challenges presented by these changes are certainly not insurmountable, but organisations should begin preparing their businesses for them now, if they have not done so already, to ensure a smooth transition to the new regime.
The GDPR will require employers to obtain a higher standard of consent from individuals to their personal data being processed. Employees must give consent freely, specifically and when informed (nothing new there), but the consent must also be unambiguous and affirmative, and those giving it must be able to withdraw it easily. Where information falls into one of the ‘special categories of personal data’, that consent must also be explicit. The general consent to data processing, commonly used in employment contracts, is going to have to change.
The regulation also states that an employer cannot rely on consent when processing data. This is because there is a “clear imbalance” between the parties to an employment relationship, so employers should presume an employee has not consented freely. So, consent on its own may no longer provide a legal basis for processing employee data.
Key practical points
- Organisations should consider using another lawful basis for processing employee data (for example, performance of an employment contract, the legitimate interest of the business, or for public sector employers, performance of a public task).
- The lawful basis for processing the data will vary depending on the purpose – an employer should consider each occasion as a separate matter.
- Organisations should continue to obtain consent. To rebut the presumption that an employee has not consented freely, employers should ensure the wording clearly states personal data will not be processed if the organisation does not receive consent.
- Employers should put in place standalone agreements which employees are invited to sign in order to positively affirm their consent.
Subject access requests
Employers now receive an increasing number of subject access requests, and the GDPR presented an opportunity to ban subject access requests that were nothing more than a ‘fishing exercise’. But this has not happened, so the current case law on this issue will continue to apply. However, the regulation is a new opportunity for employers to refuse to comply with requests which are "manifestly unfounded or excessive" although there is no guidance on exactly what that phrase means.
The regulation will make subject access requests more challenging for employers to deal with. Except in certain circumstances, an employer cannot levy a charge for complying with a request, and will have to comply within one month, rather than the current 40 days.
Key practical points
- Before rejecting a subject access request as "manifestly unfounded or excessive", HR professionals should seek to narrow the scope with the employee concerned. They should consider this even where they don’t plan to reject a request, given there will be no fee and less time in which to comply.
- The regulation provides scope to extend the compliance time limit by a further two months where a request is complex. HR professionals might wish to use this provision to extend time for compliance with all but the most basic requests.
- Larger employers, and those who receive high numbers of subject access requests, should consider the logistics of dealing with requests more quickly and, where appropriate, consider whether the organisation can change the internal infrastructure to facilitate this.
- Organisations could also consider putting in place systems allowing individuals to access their information easily online – this is recommended as best practice under the GDPR. However, employers may find it does more harm than good to have this information readily available and should think carefully before going down this route.
The regulation introduces a new right for individuals not to be subject to decisions based solely on automated processing that have a damaging impact on them, whether legally or otherwise. Such decisions should have human intervention. Employers are most likely to face this issue when using online recruitment.
Key practical points
- Employers should reconsider the use of filters which might lead to job applications being disregarded before they are considered by a human being.
- If an employer does use filters, it should ensure that job applicants have the opportunity to opt out of them on an individual basis.
- If the volume of online applications is unmanageable without the use of filters, organisations should consider whether the automated decision making is necessary for entering into, or the performance of, a contract, because this is an exception to the right. Employers will need further guidance from the Information Commissioner's Office (ICO), or from case law, to be in a better position to know whether reliance on this exception might be justifiable.