GDPR one week to go…are you GDPR-compliant when it comes to your own staff?
Whilst many organisations have focussed on what the GDPR means for customer/client/supplier data from 25 May, have you taken the right actions with regard to your staff? We look at the very different considerations involved in being HR-GDPR compliant when it comes into force next week.
With just one week to go until implementation, it is impossible to have missed the General Data Protection Regulation (GDPR) coming into force on 25 May. Everyone is likely to be receiving an increasing number of "opt-in" emails as organisations ensure they are compliant with their customers' personal data and mailing lists. However, what should organisations have done (or start doing!) with regard to their own staff? Many so-called GDPR experts have missed this internal aspect of GDPR compliance and the different requirements which apply (for example consent generally being invalid in the employer/employee relationship) when it comes to staff, including job applicants, employees, workers, temporary staff, volunteers and even consultants.
Our previous articles on the main aspects to be aware of for employers and the first draft of the Data Protection Bill are still relevant and an important place to start if your organisation has not already begun to consider HR compliance.
The new Data Protection Bill is still going through Parliament and has yet to be made law, but the Government's recently stated intention is that the majority of it is likely to come into force on the same day as the GDPR (next Friday), replacing the Data Protection Act 1998. The new rules impose a number of changes to the way employers can lawfully process the personal information of their staff.
Why does the GDPR affect employment documentation?
Employers should have already audited/be auditing the information they hold about staff to consider and document whether they can lawfully process it under GDPR conditions. In addition, employment documentation must be GDPR-compliant. Please see our HR GDPR flowchart for guidance below on the HR considerations and process for employers.
Firstly, it is well established that employers will generally no longer be able to rely on consent as the lawful basis for processing the personal information of their staff. Therefore changes are required to contracts of employment or other documents which rely on such consent (employers have often had in place consent clauses in employment contracts or a general data protection consent form, both of which are unlikely to be GDPR-compliant).
Removing consent as a basis for processing personal data and "special categories of data"/information about criminal convictions (previously known as sensitive personal data) is important both for new starters and existing staff. Official guidance on the GDPR states:
"Sending out the message that data will be processed on the basis of consent, while actually some other lawful basis is relied on, would be fundamentally unfair to individuals. For example, it is not allowed to retrospectively utilise the legitimate interest basis in order to justify processing, where problems have been encountered with the validity of consent."
Secondly, in addition to updating existing documentation, all staff and job applicants will need to be given a Privacy Notice setting out certain mandatory information about their personal data. When the Data Protection Act 2018 comes into force, employers will also need an "appropriate policy document" to process special categories of data and information about criminal convictions. To date we have no real guidance about what is required for this document and are solely reliant on the wording of the Data Protection Bill. On this and many topics, the Information Commissioner's Office (ICO) is not producing guidance until the Data Protection Bill becomes law, which makes it very difficult for employers to prepare.
What do employers need to do?
- Existing employees, new starters and job applicants must be given Privacy Notices from 25 May. Privacy Notices must be bespoke to your organisation following your (or our) comprehensive audit of data held on staff, job applicants and leavers across your organisation. We can draft or review these for you at an agreed fixed cost. Whilst we know the ICO does not intend to come down hard on employers who do not have these in place on 26 May, failure to provide staff and job applicants with the requisite Privacy Notice information on or after 25 May will be a breach of the GDPR which could lead to investigation and fines by the ICO, and ultimately compensation claims by individuals.
- New starters should be given an updated employment contract/statement of employment particulars which does not rely on consent for the processing of personal data (note that employers may also have to revisit clauses on sickness absence and medical reports as well as clauses on the monitoring of any IT facilities or devices). The contract should also refer to complying with data protection policies and employer procedures on personal data breaches because the employer will be reliant on swift reporting by staff to comply with the very tight deadline it has to report personal data breaches to the ICO.
- Ideally, so that employees are not given the impression that processing their personal data relies on their consent, existing employees need to be written to with the requisite notification specified in their contracts notifying them of a variation to their employment contracts in relation to those clauses affected by GDPR. Don't forget to write to those absent from work for whatever reason. However, this should be approached with care as it is potentially a change to their terms and conditions of employment.
- Policies, documents and other letters will need to be updated, for example:
- Offer letters
- Job application forms and recruitment processes, so that a Privacy Notice is given at the time any initial information is collected. For online recruitment platforms, consideration needs to be given to "killer questions" that are used as this is likely to amount to automated processing for which special safeguards must be in place
- Reference request letters – employers will be processing the personal data of referees and therefore need to give them a very short version of a Privacy Notice. Employers should only collect referee information at the point where it is actually needed
- Disciplinary policies
- Sickness absence policies
- Letters regarding sickness absence and obtaining medical reports
- IT policies and data security policies
- Data protection policies (meaning, in this context, guidance on how staff handle the personal data of others, e.g. customers, clients, suppliers and colleagues etc)
- Equal opportunities monitoring forms
- When the Data Protection Act 2018 (currently a Bill) comes into force, employers will be required to have an "appropriate policy document" setting out certain information on how they handle special categories of data in relation to legal rights or obligations in connection with employment or information on criminal convictions. The Bill is not yet finalised and there is no guidance from the ICO on this document. However, a start can (and should) be made on this based on the draft legislation, but revisions to it may well be necessary when further guidance is available.
How we can help you
As well as helping you updating contracts, policy documents and letters, we can offer a combination of any of the following:
- Providing general awareness training on GDPR for your HR staff.
- Helping your HR team carry out data audits (we can provide template or bespoke checklists asking the right questions – what do you hold, where, why, for how long etc).
- Meeting with your HR team to review data audit results (this drives forward what needs to change, stay the same, and what documents are needed or need changing).
- Amending internal processes as necessary (e.g. access to the data, retention periods).
- Providing (or reviewing) Privacy Notices for job applicants, staff (and leavers where appropriate) specifying the information required under the GDPR and their enhanced data protection rights.
- Providing an "appropriate policy document" for processing of special categories of information and information about criminal or alleged criminal activity in the employment context.
- Advising on whether you will be caught by new rules in relation to the automated processing of personal data.
- Advising on whether you should be carrying out Data Protection Impact Assessments for processing which is "likely to result in a high risk to the rights and freedoms of natural persons" such as monitoring the electronic communications or activity of staff on the employer's IT facilities.
- Assisting with changes to terms and contracts for existing staff.
- Providing guidance, training and templates for subject access requests.
- Specific training for HR or wider staff on data handling under GDPR.
Our Commercial Data Protection colleagues can review third party contracts with HR Data Processors (such as payroll providers, recruitment or benefits platforms) to make them GDPR-compliant. They can also help with a wider GDPR compliance plan and the documentation that will cover every area of your organisation which holds personal data about individuals, not just your staff.
In addition, organisations which carry out direct marketing activities will also need to take account of the Privacy and Electronic Communications Regulations. These are due to be replaced by a new e-Privacy Regulation in the next twelve months, which is likely to bring changes to direct marketing rules and new obligations for IT-based communications providers. Our Commercial Data Protection team can also advise on this.