The new General Data Protection Regulation (GDPR) will apply from 25 May 2018 and will replace the 1995 Data Protection Directive and EU Member States’ own privacy laws.
We previously reported that the Government has confirmed that the UK will implement the GDPR in May 2018, irrespective of Brexit. This and increased monetary fines for failure to comply mean therefore employers should be preparing for the changes the GDPR introduces.
Engaging external data processors, such as payroll providers
The GDPR will for the first time apply directly to data processors as well as data controllers. A controller says how and why personal data is to be processed and a processor acts on the controller’s behalf. In a significant change to data privacy regulation, the GDPR places new obligations on data processors, including to maintain records of personal data and implement appropriate security measures, as well as introducing fines for non-compliance by processors. These changes will affect external service providers engaged by an employer, such as the providers to whom some employers outsource their payroll function. Contracts with processors will require review and amendment.
Appointing a Data Protection Officer
The GDPR will require some employers (depending on the type of processing) to appoint a Data Protection Officer. Employers will need to consider who within their business would be suited to and willing to take on the responsibility of this role, or consider recruiting externally or contracting out the role to a third party. The role of Data Protection Officer brings with it certain legal obligations and rights which will require reconciliation with employment law obligations.
Employee consent to processing
For sensitive personal data, consent must be demonstrated by an “affirmative act”. Statements in employment contracts regarding consent to the processing of such data may therefore be open to challenge if the employee has not signed their contract or otherwise indicated that they have read and understood the statements within it.
The general obligation for data controllers to notify the Information Commissioners’ Office is being replaced with proactive accountability requirements, which include adopting internal policies and compliance procedures and demonstrating compliance with the GDPR. Employers may therefore need to review any staff policies they have in place regarding data protection.
Employee subject access requests
Subject access requests are most often made by employees when a dispute has arisen and litigation is in prospect and employers usually find them a burden to address. The GDPR is likely to increase that burden by:
Removing the £10 fee. While the £10 fee is insignificant, it is sometimes a deterrent and the time period in which an employer must respond to a request does not begin until the fee is paid. There is to be an exception where requests are ‘manifestly unfounded or excessive’. In those circumstances employers will be able to charge a reasonable fee taking into account the administrative costs of compliance.
A reduction in the time period employers are permitted to respond to the request from 40 calendar days to one calendar month. It will be possible to extend the period by a further two months if requests are ‘complex or numerous’.
The risks to an employer of failing to comply with a subject access request have already increased due to a recent employment tribunal finding that an employer’s refusal to respond to an employee’s subject access request contributed towards that employee’s unfair dismissal. Recent cases have also established that employees can recover compensation under the Data Protection Act 1998 for non-financial loss, including in circumstances where there is no other financial loss resulting from the data protection breach.
More information on the implications of the GDPR generally can be found here.