Data Protection changes – why HR needs to know about it now

Posted by Ruth Christy on
The "GDPR" has received a great deal of publicity, but what exactly is it, and how will it change things for HR?

The GDPR is short for the General Data Protection Regulation, a new law on data protection that will come into force in the UK (and across the EU) on 25 May 2018. An EU "Regulation", unlike an EU Directive, does not require the UK to produce and implement its own legislation – the GDPR will simply become UK law from that date. Brexit will not make a difference to this. Even when the UK leaves the EU in 2019, UK law on data protection is expected to continue to be the same or very similar to the GDPR, so it's here to stay.

While there are a lot of similarities with the UK's current Data Protection Act (DPA) 1998, there are significant differences. The GDPR presents employers (also known as data controllers) with a number of important changes concerning both the way they handle information about their employees and what they tell employees about the information they store.

If it seems too early to start thinking about a law that comes into force in May next year, think again. In the digital age, it only takes a few moments to realise just how much information organisations and employers store and process about individuals – whether those individuals are employees, customers, suppliers, or even simply contacts the organisation believes may be useful in the future or has kept records of in the past.  It is likely to take organisations time to examine exactly what information is held, why, where and how, before being able to comply with the new GDPR rules on proactively informing individuals about:

  • the information they hold/use;
  • the lawful basis for holding/using it; and
  • the individual's new/extended rights.

The GDPR will reach right across every area of your organisation that holds personal data about individuals, not just your employees. In addition, a new e-Privacy Regulation will bring changes to direct marketing rules and new obligations for IT-based communications providers.

Our Blake Morgan expert GDPR team has produced a guide on both of these topics. Compliance will be an organisation-wide project and if your organisation hasn't already made plans for how to comply or has any queries, please do get in touch with the team.

Add into the mix a new Data Protection Bill, announced in this year's Queen's speech, which is due to replace the current DPA 1998, not only implementing the GDPR (although if the Bill is passed after 25 May 2018, the GDPR will already be "implemented") but also introducing new rights such as allowing individuals to ask social media platforms to delete information held about them at the age of 18 and updating the DPA for the digital age. As yet we have no draft of the Bill and no planned timetable, but we do know that if it is not in force by May 2018, the GDPR will automatically override any parts of our existing DPA 1998 which conflict with the GDPR.

What does the GDPR mean for HR?

Most HR professionals will have at least a basic understanding of how the DPA 1998 interacts with day to day HR issues. For example, they are likely to know that there are stricter controls on processing "sensitive personal data" (such as medical information, racial or ethnic origin, or religious beliefs) than there are on processing other "personal data". Employment contracts may contain consent clauses, or employers may use separate consent forms when it comes to sensitive personal data (although there has always been a question mark over the effectiveness of such contract clauses bearing in mind the contract is often "take it or leave it"). They will be aware that they need to take into account the Information Commissioner's Employment Practices Code when it comes to recruiting, handling information generally and more specifically handling information about workers' health, as well as monitoring (e.g. phone calls, emails, internet use – even in some cases covert CCTV monitoring) which is often one way that disciplinary issues may come to light or be investigated further.

Generally the GDPR builds on a lot of the DPA's existing principles. Some of the key changes are:

DPA 1998 requirement Additional/different GDPR requirement
Personal data must be processed lawfully and fairly…  AND in a transparent manner. There are many aspects of data processing which individuals must be told about through privacy notices. 
Personal data must be kept accurate and where necessary kept up to date.     Every reasonable step must be taken to ensure inaccurate data is erased or rectified without delay.

Subject access requests – up to 40 days for employer to respond and £10 fee chargeable.

Employee can request inaccurate data to be rectified. 

Employers must respond without undue delay and in any event within 1 month (with a potential for extension). £10 fee abolished.

Significant additional rights for employee to have information deleted, processing restricted, or object to processing.  
Fines for non-compliance are currently up to £500,000. Fines for non-compliance up to €20 million or 4% of total worldwide annual turnover, whichever is greater.
Sensitive Personal Data is defined as racial or ethnic origins, political opinions, religious or other beliefs, membership of a Trade Union, physical or mental health or condition, sexual life, information relating to the commission or alleged commission of a criminal offence.  The GDPR calls this "Special categories of data": personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, the processing of genetic data, biometric data for the purpose of uniquely identifying someone, data concerning health, or a person's sex life, or sexual orientation. Criminal offences are dealt with separately. The UK will need to legislate for this to the extent not already provided for in law.
Consent must be explicit and freely given (there is currently little guidance on this) and is often used by employers as a lawful reason for processing sensitive personal data although under the current law this could be questioned. Consent is now definitely unlikely to be appropriate for employers to use to process data except in limited cases. This is due to the imbalance in the nature of the employer/employee relationship and new conditions around how "consent" is to be interpreted under the GDPR. 
Register with the ICO

Now employers will have to demonstrate accountability with the GDPR and, where applicable, that they have carried out appropriate privacy impact assessments.

All public authorities and some employers will need to appoint a Data Protection Officer (many may already have one and some employers will do so voluntarily).

What needs to change and when?

The main changes HR will need to address are:

  • issuing job applicants and employees with a document detailing what type of information about them is/will be stored, on what legal basis, and what their rights are in relation to that information (called a "privacy notice"). Employers should be doing something similar already, but under the GDPR it will need to be a lot more detailed especially the bases on which the information is stored/used, the individual's extended rights, and retention periods;
  • preparing for the above by identifying the information stored/used, choosing which legal basis/bases to rely on, and presenting this and the employee's rights in clear language;
  • making sure that as an employer, consent, in general, is not relied on as a basis for lawful processing (see further below). This will mean changing general data protection consent forms, application forms, contracts and other documents which ask for consent to process personal data.
  • training staff on the significant changes to employee's rights in relation to accessing their information, asking for it to be rectified, deleted, restricted or to object to the employer using/storing information. In addition, where consent is used, staff must understand the new limitations to this.

It will be important for HR and IT teams to work together closely on understanding what information is stored and used. Where years ago HR teams might have been considering only a personal file, now they will have to consider the wide range of digital information held on employees including activity on work IT systems, mobile devices, vehicles, significant advances in CCTV and wearable technology. In many cases employees could be completely unaware of the breadth of information the employer holds and how it is used.

Lawful processing of data for employers

The main grounds for processing personal information (data) about employees are not that different from those under the DPA for most employers, although there are some significant changes for public authorities.

For processing sensitive personal data, however, employers make wide use of employee consent, as mentioned above. However, the GDPR's much stricter rules on consent, the limitations on it and the ease with which employees must be able to withdraw it, mean consent is not likely to be able to be relied on generally by employers. Indeed that is the current recommendation both of the ICO and the EU GDPR Working Party (although there may still be specific circumstances in individual cases where consent is appropriate). Therefore, employers must look to other lawful means of processing these special categories of personal data, such as:

  • to carry out the employer's or employee's obligations or exercise their rights in the field of employment under EU or UK law or under a collective agreement complying with UK law which includes appropriate safeguards for employees;
  • for preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment;
  • where the data is manifestly made public by the employee; or
  • for the establishment, exercise or defence of legal claims.

In each case the legal basis for processing will need to be established.

Next steps

The clear message to employers is to start preparation now, due to the sheer scale of information most employers process, whether as employers or in any other capacity. Make sure the key people in your organisation are aware of the work to be done, in particular the initial organisation-wide analysis of what data is held, where, why and how. Our specialist GDPR team can help you with:

  • outlining and discussing the key requirements
  • carrying out a data protection audit
  • drawing up plans for your GDPR compliance
  • drafting, reviewing and amending your existing contracts and privacy notices with customers, suppliers and those who process data on your organisation's behalf
  • drafting data protection policies and procedures
  • training those affected at all levels of your organisation.

In addition, in tandem with our GDPR team, our employment specialists can help you with:

  • drafting/amending privacy notices for job applicants and employees
  • discussing and making changes to your contracts of employment and other documentation
  • advising on the impact of the GDPR in relation to day-to-day HR issues including recruitment, monitoring and social media
  • training HR teams and staff on the changes.

Finally, watch out for the proposed Data Protection Bill – we will continue to keep you updated.

To download our free GDPR guide click here.

About the Authors

Ruth provides guidance for clients and keeps them up to date with the fast pace of change in employment law.

Ruth Christy
Email Ruth
023 8085 7374

View Profile

Holly is an experienced employment lawyer who uses her technical expertise and academic legal knowledge to find pragmatic and commercial solutions for clients.

Holly Cudbill
Email Holly
023 8085 7472

View Profile