Whilst GDPR applies largely the same principles as the current Data Protection Act 1998, it does introduce some new requirements including: (i) making it more restrictive to rely on consent as a legal basis of processing data; (ii) requiring bosses to document their compliance strategy; and (iii) providing more information to employees.
Each organisation will need to look at where their individual priority risks lie ahead of GDPR coming into force. However, there are a few more general things to be aware of when looking at your compliance strategy – here are our top ten.
(1) Consider and document the legal basis for processing employee data – Identify which legal basis you are relying on in order to process employee data. Ensure that you document the legal basis you are relying on and ensure your privacy notice explains it.
(2) Avoid relying on consent where possible – GDPR introduces strict requirements in relation to consent. For consent to be valid, it must be “freely given”. This will be difficult to demonstrate in the employment context where the employer asks an employee for consent to process his or her personal data as there is an inherent imbalance of power in the employment relationship.
Further, employees are free to withdraw their consent at any time, making it impractical for employers to use consent as the basis for their processing. It is also important to refresh any existing consents if they don’t meet the required standard.
(3) Review data sharing arrangements – Assess which third parties you share employee data with. It is important to ensure that a compliant data sharing agreement is in place for transfers to third parties. You may want to consider updating contractual arrangements with third parties in light of the GDPR to ensure data is treated in line with the required standards.
(4) Transparency is key to any compliance strategy – A key principle under the GDPR is transparency. GDPR includes requirements to inform individuals as to why and when their data is collected, processed and transferred. You should document which information you hold in relation to employees, where it came from and who you share it with.
It is important to also provide employees with information regarding retention of data, transfers to other countries and their individual rights as data subjects.
(5) Update privacy notice – Review your current privacy notice and update as required. Privacy notices must be transparent, concise, intelligible and in an easy to access form.
(6) Understand and document new data subject rights – Check your procedures to ensure they cover the rights that individuals have regarding their personal data, for example how you would delete personal data, ensure data portability or provide in electronic format. Employers should also prepare for tactical use of individual rights in employment disputes.
(7) Be aware of changes to subject access requests – The GDPR introduces key changes to subject access requests. There is no longer a fee and there is a shorter timeframe to comply. Employers should update procedures and plan how you would deal with requests within the new timescales.
(8) Plan how to respond to data breaches – Organisations have a duty to notify the Information Commissioner’s Office of personal data breaches without undue delay and, if feasible, within 72 hours. In order to comply with this requirement, employers should ensure a clear process is in place. This should be supported by a training and awareness campaign to ensure employees are aware of their obligations to report breaches in a timely way.
(9) Monitor compliance, keep records and review – Employers should embed ongoing training programmes and ensure key decision makers are aware of the changes under the GDPR and the impact on existing processes and procedures. Regular updates on GDPR compliance should be provided to key stakeholders.
(10) Responsibility and accountability – Some companies will be required to appoint a Data Protection Officer. For example, companies whose core activities involve regular, systematic and large-scale monitoring. However, those that aren’t should still designate an individual or team to be responsible for data protection compliance.
It is important that businesses take action now to review the management of employee data and take steps to ensure readiness for the GDPR, while remembering that every organisation has different characteristics and there can be no “one size fits all” approach to a compliance strategy.
Tilly Harries is head of PwC HR Support, a fixed fee employment law advice service, and Christina McGoldrick is employment solicitor at PwC