Employers must review data protection strategies amid Brexit uncertainties

Employers must review data protection documents ahead of the law changing

What’s certain is that data protection laws will change at the end of the transition period (31 December 2020) as the UK leaves the EU. The UK will no longer be governed by the GDPR, and all organisations will need to review and, if necessary, make changes to their privacy notices (including job applicant and staff privacy notices) and contracts of employments/service agreements, as well as other data protection policies/documents to reflect the change to UK law. For example, changes to privacy notices may include whether personal data is transferred to countries outside the UK rather than outside the European Economic Area, and references to the “General Data Protection Regulation” or “GDPR” may need to be updated. For some, who do not operate in Europe and who do not transfer data outside the UK, little else may change at the end of the transition period.

However, with the changing world of work as a result of the COVID-19 pandemic, now is a good time to review your staff privacy notices and policies/procedures for anything else that might have changed and update them accordingly. For example:

• have you introduced any monitoring software for those who work at home, whether on laptops or other devices?
• have you introduced facial recognition technologies to minimise the surfaces your staff touch in the workplace?
• have you introduced your own COVID-19 testing procedures at work?

Innovations such as the above will need to be included in your privacy notices and policies, as well as requiring Data Protection Impact Assessments to be completed.

Amendments which are made to job applicant and staff privacy notices and other data protection documents will need to be notified to staff. The amendments should be visible, either on a work intranet if the documents are stored there, or, if hard copies have been given, employees will need a copy of the changed wording (even if it is only the relevant section which has changed). Either way, any amendments should be clearly brought to the attention of your staff. Special consideration will need to be given to how this is communicated if it involves an actual change in the data you collect and how it is used, as opposed to the minor changes necessitated by the end of the transition period on 31 December 2020.

The impact on HR data protection strategies

As the transition period comes to an end and the UK becomes a “third country”, there is likely to be an impact on international data transfers.  As a non-EU member, personal data transfers (including relating to staff as well as customers) between the UK and EU/EEA countries will be “restricted” unless an appropriate transfer mechanism is used. Both solely UK-based and international employers could be impacted if:

• you have outsourced any operations to an EU country – e.g. payroll, recruitment, HR, benefit or IT platforms/services (NB: also check UK-based outsourcing suppliers, which may in turn be reliant on EU services);
• You use a cloud service provider based in an EU country;
• You are a UK organisation managing some staff based in the EU;
• You are an international or EU-based organisation where some or all of the HR function is managed in the UK, regardless of parent or subsidiary companies;
• You are an EU organisation with some staff based in the UK.

Whist these are HR operations, any data flow between customers, suppliers or other relationships within the EU may be impacted.

It is likely that outsourced operations and cloud providers based outside the UK will be working to ensure that appropriate transfer mechanisms will be in place but employers should contact their suppliers to seek reassurance before the end of the transition period.

One method of legitimising personal data transfers between the EU and a third country is where the European Commission makes an adequacy decision in respect of that country. The Department for Digital, Culture, Media and Sport (DCMS) has been confident that the UK will be given an adequacy decision, which would enable continuation of the status quo and recognition that, as at the end of the transitional arrangements, UK and EU law is aligned.

That confidence will have been undermined by the recent European Court of Justice Decision in La Quadrature du Net, which has challenged the wholescale data retention frameworks adopted by a number of EU countries and the UK. The ECJ ruling found that national laws requiring bulk data communications to be made available to the security agencies were contrary to EU fundamental rights. Taken alongside the ECJ decision in the Schrems II case earlier in July, which criticised the intrusive nature of the US surveillance laws, it makes it less likely that the EU will be prepared to give an adequacy decision to the UK. Especially given longstanding concerns over the extent of surveillance that the UK has to date been able to justify under the national security exemptions it has enjoyed as a member of the EU.

Whilst the deadline for concluding negotiations on the new trade deal has been set at the end of October, it isn’t certain that the position will be concluded by then.  In the face of this uncertainty, organisations need to be prepared to have in place alternative transfer mechanisms to preserve the lawfulness of their international data transfers including the personal data of their own staff.  Whilst there are a number of potential mechanisms, for most organisations the Standard Contract Clauses provide an obvious solution. But beware, they aren’t appropriate for all circumstances, and it can be a time consuming exercise to implement, assuming that the organisation is fully aware of all its data flows. With the 1 January 2021 fast approaching, it is important that the organisations take steps now to be ready, and avoid the potential risk, liability and reputational impact of non-compliance.

The Information Commissioner’s Office (ICO) has published a specific guidance and resources page to help organisations prepare. This contains a lot of useful information and specifically states that organisations should consider whether to seek separate professional advice before making specific preparations.

There are a number of steps that organisations may need to take to comply with the new UK GDPR regime as a result of leaving the EU.  Our data protection and employment experts work with businesses and organisations to help them navigate these issues. Contact us at [email protected] or your usual Blake Morgan employment contact who will be able to direct you to the right specialist for specific advice and support.

This article was written by Jon Belcher, with input on employment-related aspects from Ruth Christy.