HR work involves handling employees’ personal information, some of it sensitive, such as details about health or family life. Organisations are already familiar with their data protection responsibilities towards this information under the Data Protection Act 1998, but from May 2018, those duties will be tightened up under the General Data Protection Regulation. The new rules are intended to meet the needs of a digital age, and require a change in organisational attitude towards data privacy. HR has a crucial role to play in achieving the new goal of data protection by design and default.
This factsheet for CIPD members outlines what’s changing and what’s staying the same, new rights for individuals (such as the right to be forgotten), moving from consent to other lawful grounds for processing employee data, dealing with subject access requests (SARs), working with third parties such as payroll providers, keeping records and reporting data breaches to the Information Commissioner. It includes a checklist of which issues HR should be addressing in the run-up to the compliance deadline.
The GDPR heralds a significant change in the culture, as well as the processes, of how organisations handle data and there are stiff penalties for falling foul of the law. It’s vital that employers and HR professionals take steps now, if they haven’t already, to ensure they are prepared for the new data protection provisions coming into force in May 2018.
Data protection law is a highly technical area. To ensure that organisations fully understand the new rules and implement them in the most effective and compliant way, it’s essential they seek the appropriate legal and good practice advice and guidance at the outset. If an organisation fails to comply with any aspect of the new laws, the cost of such a breach could be considerable, not only in terms of the potential financial penalties but to its reputation as a business and as an employer. It’s also important that organisations properly communicate the new rules to their workforce so that all employees understand their responsibilities under data protection law.
What is the General Data Protection Regulation and how will it affect HR?
At the heart of the General Data Protection Regulation (GDPR) is a change in focus from regulating high risk data processing activities to improving data security in more routine matters. The GDPR aims to bring about a culture shift and HR’s role in this will be key.
Employers will need to review how they collect, hold and process personal data, as well as how they communicate with individuals about that activity.
Recruitment processes, performance management and bonus allocation, disciplinary and grievance procedures and policies, and any auto-processing, or use of employee data for marketing purposes, will need to reflect the new data protection measures and principles.
The regulation emanates from the European Union (EU) and is the biggest change to data protection law in over 20 years. Its aim is to expand, modernise and harmonise data protection laws across the EU and usher in the concept of data protection by design and default. It applies not only to organisations inside the EU but also to those outside providing goods or services, or monitoring browsing behaviour, within Member States. It applies directly to all EU states, including the UK, from 25 May 2018 and comes into effect with a hard landing – there is no transition period and no excuse for non-compliance from day one.
The UK government has committed to implementing the GDPR irrespective of Brexit and has a new Data Protection Bill currently progressing through Parliament which will amend the UK’s existing Data Protection Act 1998 (DPA) in line with the new rules and introduce additional changes.
Read our data protection in the workplace factsheet for more on the current UK situation.
What will change under the GDPR?
The most significant change as far as employers are concerned is the increased sanctions. Breaches of the GDPR may be subject to fines of up to €20M, or 4% of global annual turnover, whichever is the greater, and staying compliant is likely to lead to additional costs and administration.
The conditions for obtaining valid consent to processing personal data will become much stricter and employers are unlikely to be able to rely on this for processing employees’ data. Blanket wording in an employment contract arguably doesn't meet current data protection requirements, but it will definitely not meet the GDPR rules and employers should be wary of relying on this in future.
There are also greater transparency obligations. Organisations must provide more information on what data they hold and what they do with that data, both for those inside the organisation, such as employees, and those outside it, such as customers or clients.
Running parallel with this is a new emphasis on accountability, and this is not just a tick-box exercise. Organisations must be able to demonstrate their compliance to regulators – in the UK’s case, the Information Commissioner's Office (ICO) – on an ongoing basis and to maintain records, and individuals will have significantly increased rights to access their personal data.
Because the GDPR requires data protection and privacy by design and default, organisations need to build appropriate privacy requirements into their day-to-day operations and notify the ICO, and any individuals affected, if certain types of data breach occur.
What’s staying the same?
The GDPR’s data protection principles are similar to those under the DPA (except there are six, instead of the current eight). Organisations must be able to demonstrate that any personal data they handle is:
- processed lawfully, fairly and transparently
- collected for specified, explicit and legitimate purposes
- adequate, relevant and limited to what is necessary
- accurate and kept up to date where necessary
- kept for no longer than is necessary where data subjects are identifiable
- processed securely and protected against accidental loss, destruction or damage.
The definition of data processing will be similar to the existing one, although the definitions of personal and sensitive data have been expanded. The conditions for lawful data processing are similar too, but there are changes to the way organisations can rely on these (see, for example, consent below).
Data subjects’ rights are broadly recognisable, as are restrictions on processing data, but there is a new right to be forgotten. Likewise data security obligations under the GDPR are similar to those currently in place, but there are some increased requirements.
Expansion of individuals' rights
While many of these rights are similar to those under the current DPA, the GDPR expands them and introduces new ones. Data subjects, including employees, will have the:
- right to be informed about the processing of their personal data
- right to rectification if their personal data is inaccurate or incomplete (requests to amend data will normally have to be processed within one month)
- right of access to their personal data and supplementary information, and the right to confirmation that their personal data is being processed
- right to be forgotten by having their personal data deleted or removed on request where there is no compelling reason for an organisation to continue to process it (again employers will have to respond without undue delay and within one month of the request)
- right to restrict processing of their personal data, for example, if they consider that processing is unlawful or the data is inaccurate
- right to data portability of their personal data for their own purposes (they will be allowed to obtain and reuse their data)
- right to object to the processing of their personal data for direct marketing, scientific or historical research, or statistical purposes.
Consent – traditionally the fall-back position for validating the collection, processing and transfer of employee data – will no longer be a safety net for employers. Organisations will need to either find a new route for obtaining employee consent, or find another ground on which to lawfully process employee data.
Under the GDPR, organisations will need to demonstrate in each instance that employees were:
- informed of the purpose and use of their personal data
- given a clear explanation of how it will be treated.
They will also need to show that employees gave their consent independently or freely to the specific use, purpose, or processing of that data and the consent will need to be clearly connected to the processing. Employees’ acquiescence, silence or lack of complaint about the processing will not meet the standard required, and neither will consent incorporated as a standard term in an employment contract or in broad data protection policies.
Identifying an alternative lawful ground for processing employee data is unlikely to be difficult (for example, collecting and holding bank details in order to pay a salary as part of an employment contract) but the range of employee data collected, the variety of reasons for collecting it, and uses it will be put to, pose a bigger problem. Employers will need to consider each separate category of employee data and record the grounds on which they will be lawfully processing it in each case.
Where employers have been using consent as a legal basis for processing personal data, it will remain valid, provided it meets GDPR requirements. If it doesn’t meet them, employers will need to renew it.
Lawful grounds for processing
Organisations may process personal information lawfully for a number of reasons, including in order to:
- perform an employment contract
- comply with a legal obligation
- protect the employee’s or another individual’s vital interests (for example, medical data during a health emergency)
- carry out a task in the public interest, or in exercising official authority vested in the employer
- protect the legitimate interests of the employer or a third party, except where this is overridden by the interests or rights of the employee.
Personal and sensitive personal data
Personal data is any information relating to a person who can be identified, directly or indirectly, either by an ‘identifier’ (a new concept under the GDPR) such as their name, or an identification number, or by location (also new for GDPR) or online data, or through factors specific to the physical, physiological, genetic (also new), mental, economic, cultural or social identity of that person.
Under the GDPR, it will be legitimate to process ‘sensitive personal data’ where necessary to carry out an employment contract or collective agreement obligation. What counts as ‘sensitive personal data’ will remain broadly the same. It is information on racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life and sexual orientation, and genetic or biometric data (for example, fingerprint images for security or internal payment systems).
Two examples of sensitive personal data are criminal records and medical records. Criminal records checks will remain permissible when recruiting for a role which involves working with children or vulnerable adults but, as now, employers will not be allowed to carry out criminal records checks routinely.
Processing medical records will also remain permissible under the GDPR where necessary for preventative or occupational medicine, assessing working capacity, or confirming medical diagnoses.
Consent is not necessarily required, but the organisation must put in place safeguards on confidentiality. Employers will need to tell employees why the organisation is collecting the information, what is going to happen to it, who will see it, and so on.
Accountability and privacy by design
The GDPR requires businesses to demonstrate their compliance with the data protection principles and states explicitly that it is an organisation’s responsibility to do so. This means employers will have to:
- ensure and demonstrate compliance (for example, staff training on internal data protection policies, auditing processing activities, and reviewing HR policies)
- document data processing activities
- appoint a data protection officer (DPO) where appropriate
- only collect personal data that is adequate, relevant and necessary
- remove names from data (anonymisation) or use data encryption to anonymise it (pseudonymisation conceals identities but allows them to be recovered)
- be open with employees about processing their data and allow them to monitor that processing
- improve data security features
- identify and limit any detrimental effects of data processing on individual privacy.
Data protection officers (DPOs)
Any organisation can appoint a DPO but, under the GDPR, organisations that are data controllers or processors will have to appoint one if they:
- are a public authority
- carry out large scale systematic monitoring of individuals
- carry out large scale processing of special categories of data or data relating to criminal convictions and offences.
DPOs assist and advise on compliance with the GDPR, are the contact point for any data subjects and for the regulator (in the UK, the ICO), and should report to the highest management level (usually the board). They must be given adequate resources to meet these obligations, have a degree of independence, and protection from dismissal or detrimental treatment in connection with performing their duties.
Data subject access requests (SARs)
The rules and the penalties around subject access requests are more onerous under the GDPR. The current £10 fee will disappear, although organisations will have some discretion to charge a reasonable fee, based on administrative costs, in limited cases where the request is 'manifestly unfounded or excessive' (for example, repeat requests from the same individual) or where there are grounds to refuse the request (such as vexatious or repeated requests for the same data).
Organisations must respond to a SAR without ‘undue delay’ and within one month (although this can be extended by up to two months for particularly complex requests). Currently the timeframe for responses is 40 days. There is no restriction on the number of SARs a data subject can make.
The first copy of a SAR response must be provided free of charge, although employers can charge a minimal fee for additional copies, and the data must be provided in a structured, commonly used and machine-readable format. Organisations can only refuse to respond to a SAR that is not specific or made for non-data protection purposes. Breaching the SARs rules falls into the higher tier of fines.
Employers need to be prepared for SARs being used to obtain information which may be useful in a tribunal claim. Organisations should:
- identify who is responsible for responding to SARs and provide sufficient training for them
- make staff likely to receive SARs (managers and HR teams) aware of the new rules
- make sure SARs are dealt with as efficiently as possible.
When organisations receive a SAR, they should:
- check its scope
- identify onerous SARs or those made for non-data protection purposes
- set clear deadlines for responding
- follow a procedure for preparing the response and document it.
If a SAR is made in the context of a disciplinary process or potential tribunal claim, organisations should make sure they are fulfilling their data protection obligations while protecting the business. Legal proceedings disclosure requirements are more onerous than the search requirement for a SAR, but organisations should not be disclosing something in a tribunal they didn’t disclose in an earlier SAR.
Sharing and transferring personal data
Organisations using third parties, such as payroll providers, external HR resource providers and recruitment agencies to process employee data will be responsible for ensuring the third party is GDPR compliant.
International transfers of personal data add a layer of complexity. Organisations will need to check whether they are transferring data overseas, or using cloud-based HR systems whose servers are not located in the UK, ensure personal data is only transferred with adequate safeguards in place and provide employees with significantly more detail than hitherto on these measures.
The GDPR rules on transferring employee data across borders look much the same as those under the DPA, although Brexit may have an impact further down the line. However, employee consent will almost certainly not be a valid basis for transferring data under the GDPR.
- clarify what information they need and why, and what the receiving organisation will do with it. It may be possible to avoid sending personal data, or to justify the transfer under one of the legitimate grounds for processing (thereby avoiding the issue of employee consent)
- only share essential data
- anonymise or pseudonymise the data
- check contract terms with third parties are GDPR compliant
- check the data protection requirements and safeguarding protections in the host countries for overseas transfers of data.
Under the GDPR, organisations will need a level of data security appropriate to the risk involved in processing that data. The size of the organisation, how it operates, the volume and nature of personal information processed, and the potential harm that could result from a security breach, are all relevant.
In addition to having a clear policy for dealing with security incidents, organisations should:
- carry out a risk assessment of data systems and act on the results
- maintain up-to-date security systems (for example, using firewalls and encryption technology)
- restrict access to personal data to those who need it
- train staff on data security
- review data security regularly.
Record-keeping and the right to correct
Organisations with more than 250 employees must keep clear and easily accessible records of high risk processing (for example, processing involving sensitive personal data). Smaller employers must record all their data processing activities. The ICO can demand to see these records at any time, and employers need to be able to pull these out quickly in the event of complaint or disciplinary offence, for example.
Data should only be kept for as long as is necessary to fulfil the purpose identified, or as required by law. Organisations should:
- think about the purpose for retaining the data
- consider whether there is a legal requirement to keep the data for a period of time (tax records, for example)
- decide whether the data is needed to defend a potential claim (such as application data for a job candidate, where there is concern about a discrimination allegation).
In each case, organisations will need to be able to justify retaining the data. Employees have the right to correct data about them (see above), so organisations will need to consider how to implement systems to respond and manage correction requests within the new timeframe.
Find out more about UK statutory and recommended time periods for keeping HR records.
Organisations will be required to report data breaches to the ICO in all but the most trivial cases, unlike the current approach in the UK and other EU states. Employers may also be required to inform data subjects affected by the breach (for example, where there has been a breach of their personal data, such as it being transferred to a third party not compliant with the GDPR).
Action plan for employers
Organisations should carry out an audit to identify any data protection risk areas and take the first steps towards creating a data protection by design and default culture.
HR teams should identify:
- what personal and sensitive personal data is obtained from employees
- how and where that data is stored, accessed and used, and the legal basis for collecting, storing and processing it
- what data is shared with third parties
- what kind of monitoring of employees takes place and where.
They should prepare an action plan that specifies what needs to be done when (bearing in mind the compliance deadline), who will do what and any internal and external support required.
They also need to:
- consider what documentation must be prepared or updated
- review policies and processes and decide which to change (different policies may be needed for employees and managers)
- reinforce the changes through training (and keep attendance records)
- think about what needs to be shown to whom to demonstrate compliance.
Both the GDPR and the EU-US Privacy Shield (which US companies can join by self-certifying their compliance in order to facilitate EU-US data transfers) are likely to be affected by Brexit, depending on whether the UK remains a member of the European Economic Area (EEA) or not. In addition, the strength of the Privacy Shield remains questionable in the light of recent developments in both Europe and the US.
If the UK remains in the EEA post-Brexit, the GDPR and Privacy Shield will remain as they are. If it leaves, the UK's options may be limited as it will need to meet the requirements of the EU (whatever they may be) in order to process EU data. The UK government has already taken steps to address this under the Data Protection Bill. Primarily there is a need to avoid a mismatch of data protection rights becoming a barrier to trade.
If the UK leaves the EEA, it is likely to need to adopt a new regime directly with the US for data transfers, in a similar way that Switzerland has done. Given the strengthened obligations under the GDPR to ensure the adequacy of data protection in international data transfers, this will be an important issue to resolve.
For more on what Brexit could mean for employment law, visit our Brexit hub.
Useful contacts and further reading
Lewis Silkin. (2017) GDPR - 11 things you need to do in your workplace.
Micro Focus - HPE Software. (2017) The road to GDPR compliance.
Books and reports
VOIGHT, P. and von dem BUSSCHE, A. (2017) The EU General Data Protection Regulation (GDPR): a practical guide. Springer.
FOSTER, S. (2017) Get ready for 2018’s changes to data protection laws. PM Daily. 27 March.
KIRTON, H. (2017) What does HR need to know about GDPR?PM Daily. 23 August.
TREVELYAN, L. (2018) The GDPR: everything you know about data protection is changing. PM Daily. 22 February.
CIPD members can use our online journals to find articles from over 300 journal titles relevant to HR.
Members and People Management subscribers can see articles on the People Management website.
Stephanie Creed: Associate, Taylor Wessing
Stephanie is an associate in the Employment, Pensions & Mobility group at Taylor Wessing LLP, specialising in all aspects of UK employment law. She has developed a particular niche in relation to HR data privacy issues and the GDPR, but also advises on a broad range of matters, including recruitment and terminations, restructures and redundancies, TUPE, post-termination restrictions, and the employment aspects of corporate and commercial transactions.
Rachel Suff: Employee Relations Adviser
Rachel joined the CIPD as a policy adviser in 2014 to increase the CIPD’s public policy profile and engage with politicians, civil servants, policy-makers and commentators to champion better work and working lives. An important part of her role is to ensure that the views of the profession inform CIPD policy thinking in ER areas such as health and well-being, employee engagement and employment relations.
As well as developing policy on UK employment issues, she helps guide the CIPD’s thinking in relation to European developments affecting the world of work. Rachel is a qualified HR practitioner and researcher; her prior roles include working as a researcher/editor for XpertHR and as a senior policy adviser at Acas.