On 25 May 2018, the UK will finally implement the General Data Protection Regulation (GDPR).
There has been much debate about the impact of the GDPR, ranging from the apocalyptic to dismissive comparisons between GDPR and the damp squib that was the millennium bug. As ever, the truth almost certainly lies somewhere between these two extremes.
We know that the GDPR is a complex and far-reaching piece of legislation which will harmonise data protection laws across the EU. It will apply not only to EU companies, but to any company processing the personal data of individuals in the EU in relation to offering goods or services, or to monitoring their behaviour. Essentially, as of 25 May 2018, all organisations that process the personally identifiable information of EU residents will be required to abide by a number of provisions or face significant penalties. The penalties for breaching the GDPR include fines of up to €20 million or 4% of annual worldwide turnover, whichever is greater.
On the positive side, the GDPR is, to quote Elizabeth Denham (Information Commissioner), a ‘known known’, building on the existing Data Protection Act. Additionally, there are a lot of resources available, both on Simply-Docs and the website for the Information Commissioner’s Office (www.ico.org.uk). What is difficult for businesses, however, is the principles-driven nature of GDPR, which means that applying the GDPR is not a simple tick-box exercise. Instead, careful thought needs to be given as to how GDPR applies to different individual businesses.
Under the GDPR, employers will have to provide more detailed information, such as:
• how long data will be stored for;
• if data will be transferred to other countries;
• information on the right to make a subject access request; and
• information on the right to have personal data deleted or rectified in certain instances.
From an HR point of view, the main actions employers urgently need to take are:
1. Replace generic data consent clauses in employment contracts for new employees.
At present, many employers justify processing personal data on the basis of employee consent by way of a generic clause in the employment contract.
There are more prescriptive requirements for obtaining consent under the GDPR and employees must be able to withdraw their consent at any time. This will make it harder for employers to rely on consent to justify processing. Instead, employers will generally need to rely on one of the other legal grounds to process personal data.
In the employment context, the most relevant legal bases for processing data under the GDPR are likely to be that it is necessary for the performance of a contract, for compliance with a legal obligation, or for the purposes of the employer's legitimate interests. If an employer relies on the legitimate interests ground to process personal data, it must specify the particular legitimate interest for which the processing is necessary (such as the defence of potential legal claims).
Simply-Docs employment contracts have been updated with data protection clauses that are GDPR-compliant.
2. For existing employees and contractors, issue a new GDPR-compliant privacy notice, providing information on the processing of their personal data.
It is not necessary for employers to amend existing employment contracts; the privacy notice will override any invalid data protection clauses in the contract.
Under the GDPR, the information which must be included in the privacy notice is:
• the purposes for which the employer will process the employee's personal data;
• the legal bases for the processing;
• information about the retention period; and
• information about the employee's rights as a data subject.
This month, Simply-Docs has produced a GDPR-compliant privacy notice which should be issued to existing staff and contractors and which will sit alongside the contract of employment.
3. Employers should review existing documentation to ensure that processes and procedures adhere to the principles of GDPR.
The introduction of the GDPR means that employers should review their documentation to ensure that data protection and privacy considerations are embedded and only the minimum amount of personal data is collected and processed for a specific purpose.
Over the next month, Simply-Docs will review all of its HR policies and update them where necessary to ensure that they are GDPR-compliant.
The contents of this Newsletter are for reference purposes only and do not constitute
legal advice. Independent legal advice should be sought in relation to any specific