New rules coming in 2018 will require offices to make massive changes, says Kate Hodgkiss
The recent adoption of the EU General Data Protection Regulation (GDPR) heralds a new dawn in data protection, with far-reaching consequences for employers. Despite Brexit, it is almost certain UK businesses will, ultimately, need to comply with its requirements – not only because it will come into force before the UK is likely to leave the EU, but also because the UK Information Commissioner is recommending compliance for international trade deals.
For many, the new regime will require a completely new approach to processing personal employee data. Breaches will be penalised by increased sanctions.
Although the new regime is challenging, compliance is achievable with suitable planning, beginning with a thorough audit of existing practices. The UK’s Information Commissioner’s Office (ICO) has published useful guidance for employers on 12 steps to take now. The most important issues for employers will include:
• Grounds for processing employee data need to be audited: Employers will need to consider the basis on which they process employee data. Employee consent will almost certainly be invalid in the employment context, and can be withdrawn at any time.
• Data subject access requests will be easier for employees: No restrictions and no fees (unless requests are manifestly excessive) and responses no later than a month.
• Routine criminal records checks may not be allowed: This now appears to be unlawful as there is no requirement under UK law to carry out these checks.
• Employees have new rights to erasure and rectification of their personal data: One example would be where data is no longer necessary for the purpose for which it was collected.
• Employees have the right not to be subjected to automated decision-making: This is likely to apply to matters including: automated shortlisting; performance management triggers for sickness absence; attendance bonuses; holiday or shift rostering.
• Employers must notify data protection breaches within 72 hours: Relevant national data protection authority must be told within 72 hours of a data protection breach resulting in unauthorised loss, amendment or disclosure of data.
• Employers must be audit- ready at all times: Employers are expected to set up systems in a way which ensures compliance – restricting the data, use and access. The onus is on employers to prove compliance.
• Transfers of data to third countries may be easier: Under the new regime, personal data may be transferred to a third country or international organisation where there is a European Commission finding of adequacy, if appropriate safeguards are in place, or if one of a number of prescribed derogations is met.
• Onerous sanctions: Infringements over basic principles for processing and the rights of data subjects will attract maximum penalties of €20,000,000 or 4 per cent of total worldwide annual turnover, if higher.
• Appointment of a DPO may be required: Data controllers and processors may choose to appoint a Data Protection Office (DPO) but must do so if they are a public authority, are required to do so by local law or have core activities requiring regular, systematic monitoring of individuals on a large scale or carry out large-scale processing of sensitive data or criminal records.
As the regulation will come into force in 2018, employers would be wise to use this lead-in period to fully analyse existing data processing habits, question what data collection and processing is truly necessary for the employment relationship and introduce new procedures . If they do so, they can enter 2018 with their house in order, fully equipped to address the challenges ahead.
• Kate Hodgkiss is head of employment at DLA Piper in Scotland