Employers and HR hold and use various types of personal data in relation to their employees, workers and consultants (and applicants and former staff). This includes employee and HR data; records and information which employers will obtain and process on a day to day basis (such as names, addresses, pay information, absence records, medical information, emails, disciplinary and grievance matters; IT monitoring and CCTV data). These examples of personal data have to be handled in accordance with data protection legislation.
For processing “special category data”, there are more specific rules e.g. for health information contained in Occupational Health reports; absence records and medical notes; and equal opportunities questionnaires which may be obtained for equal opportunities monitoring.
Issues to look out for: We have identified a few areas which are likely to be relevant for employers and HR. How do you deal with the following?
- Recruitment: When someone applies for a role with you (whether through a formal application process, or by emailing a speculative CV, or otherwise) they will provide you with personal data. You must therefore provide them with a privacy notice. Further, GDPR restricts employers in terms of both automated decision-making and profiling of individuals' personal data when there is no human involvement. Questions arise in relation to how long it is necessary to retain an applicant’s personal data (particularly if their application is unsuccessful) and whether you can record information about their criminal convictions.
- Employment Contracts: Under GDPR consent is no longer a valid legal basis for processing where there is an imbalance of power between the individual and the organisation, for example, in the employee-employer relationship. Accordingly, many employment contracts will be inaccurate or out of date, as they often refer to the employee consenting to the employer's processing of their personal data. This should be reviewed and the contract updated to give lawful reasons for processing data.
- Privacy Notices: Employers must give applicants and employees (and consultants and workers) a privacy notice. These are sometimes referred to as ‘fair processing notices’. These notices must include certain minimum information, including the lawful basis for processing, who the information will be shared with, and whether any automated decision making or profiling will take place. Notices should also be reviewed regularly to ensure they continue to be fit for purpose and legally compliant.
- Policies and Procedures: We recommend that employers update their data protection policy to ensure GDPR compliance. Employers should also review other policies (such as their disciplinary policy, grievance policy, equal opportunities policy, whistleblowing policy, CCTV policy, drug and alcohol monitoring policy and so on) to ensure GDPR compliance. Employers may also wish to introduce new policies, such as data retention policies and subject access request procedures.
- Subject Access Requests (SARs): GDPR has changed some of the rules in relation to SARs. Remember that any emails in relation to particular employees may be caught by a SAR and may have to be disclosed to the employee making the request. Employees may decide to make SARs during and after recruitment or employment; when they have been dismissed or during disciplinary processes. You should be sure to understand the data subject’s rights when a request is made, and how to respond.
- Data breaches: there are new obligations relating to data breaches, including in come cases, specific requirements to notify the Information Commissioner’s Office (ICO) – the UK supervisory authority – within 72 hours of discovery of a data breach and in certain circumstances, to notify the individuals affected. Those dealing with employees need to be aware of breaches which could affect employees (e.g. leaks of employee data) as well as actions of employees which could cause a breach, and how to respond. Having in place processes and procedures to minimise this risk is vital. The recent cases show how volatile a situation can be when dealing with employee data, and that the duty on employers to take care for employees’ data is onerous.
Protect your profits: We have all heard about the potential (eye-watering) fines for non-compliance with the data protection laws: up to 4% of your annual worldwide turnover or € 20m, whichever is the higher!
Protect your reputation: More importantly we have seen the negative press coverage when organisations get it wrong which can be very damaging to an organisation’s reputation and goodwill (Data Analytics and British Airways come to mind!).
Compliance is a sell: Good data governance and compliance are easy sells to customers.
How can we help?
We can help businesses, both controllers and processors, in a number of ways to suit the needs of your business, from template documents to tailored advice and assistance:
1. Auditing and Data Mapping
To work towards compliance you need to know where you stand currently.
Our specialist employment law and data protection teams work closely together. We perform data protection audits to identify any compliance gaps in your processes and recommending compliance solutions using a ‘traffic light’ coded action plan. As part of this process, we help clients to ‘map-out’ their data flows, which forms the basis of a business’s record of processing activities (which means from the assessment we undertake, you are already on your way to working towards compliance requirements).
2. Training and workshops
Key to compliance is awareness.
Online training: We provide online training for employees and managers on a subscription basis. This is a useful tool for reaching large audiences quickly at a time and place that is convenient to them and to you.
Face-to-face training: We also provide interactive face-to-face training (on-site or off-site) to allow staff to ask questions and to work through practical examples. This training can either be a general overview of data protection or we can provide specific tailored workshops for your needs and on key issues such as, direct marketing, collecting customer data, employee data and responding to SARs, dealing with personal data breaches, drafting GDPR compliant contracts, etc.
3. Template and Tailored Documents
Our specialist employment team offer a fixed fee GDPR/employment documentation package. This is a useful starting point towards GDPR compliance; and includes a template data protection clause for employment contracts, a template privacy notice for existing staff, a privacy notice for applicants and speculative CVs, and a template data protection policy.
We also have a number of template guidance tools, policies and procedures, and contracts that we can offer and tailor to your business’s functions, including:
Privacy Notices: We can assist with preparing internal privacy notices, aimed at employees and directors, and external facing privacy notices aimed at your customers, employees and job applicants.
Privacy Notice Checklist: To help you draft your privacy notices in accordance with the detailed requirements of the GDPR.
Direct Marketing Flowcharts: To assist you in determining whether or not you can contact individuals and businesses with direct marketing materials (this is an area that caused a lot of confusion in the lead up to May 2018!).
Legal Basis Flowcharts: To allow you to easily work out when you can lawfully process the personal data you hold.
Data Protection Policy and Privacy Standard: Let your staff and directors know what is expected of them when they process personal data as part of their role.
Personal Data Breach Policy and Procedure: If you have a notifiable personal data breach, you only have 72 hours from becoming aware of the breach to let the ICO know. This means that your staff need to be able to act quickly, and a procedure outlining the process for dealing with a breach will assist with this.
Guidance Tool – Determining Roles of Parties: Before appropriate contractual arrangements can be put in place, businesses need to know what role they play under data protection legislation (sole controller, joint controller, processor, sub-processor, all of the above…) and this guidance tool assists you in determining this.
Data Processor GDPR Checklist: Before selecting a service provider, it is important that you are comfortable with their security measures (which should at least align with yours), their data protection compliance status, their location, and the sub-contractors they engage.
Contracts: We provide template data processing and data sharing agreements (for use with partnering organisations) to suit your business, whether by formal contract, or a more informal FAQ/Protocol document. We can also review and update your existing contracts with IT service providers, suppliers, etc.
Consent: Consent is more difficult to obtain under the GDPR and also brings with it new rights in favour of the individual, placing new requirements upon businesses. We can assist you with ensuring that your consent requests are valid, and advise you when consent is not the most appropriate legal basis to rely on and what other options are available to you.
DPO Advice Note and Questionnaire: Understand if you need a Data Protection Officer (DPO) under the GDPR and document your assessment and decision making (data protection accountability is all about good record keeping).
Template DPIA: If you are implementing a new procedure or project (e.g. new HR and payroll software, loyalty card scheme or CCTV system) that is likely to result in a high risk to the rights and freedoms of individuals, then you must carry out a Data Protection Impact Assessment (DPIA).
Procedure for Data Subjects' Rights: A request from an individual can go to anyone in your business, it can be made verbally, and the individual does not need to expressly state that he/she is making a request to exercise a data protection right. To ensure that all your staff know how to identify and deal with these requests, it is important that a clear procedure is in place.
4. Tailored Advice and Assistance
As well as assisting you to ensure that your documentation meets the requirements under data protection law, we can also provide advice and assistance on all matters related to data protection and privacy, and have assisted a number of employer clients with tailored advice on many practical areas, including:
- privacy notices for staff and job applicants/speculative CVs
- monitoring and tracking employees
- intra-group data transfers
- Subject Access Requests
- personal data breaches
- data sharing arrangements and international transfers
5. International transfers
We provide advice and assistance on all matters relating to international data transfers; whether this is within a group structure or simply as part of provision of services. We can assist you to ensure that your international transfers are carried out lawfully and regularly advise on matters such as Standard Contractual Clauses and joining the EU-US Privacy Shield. If your business requires guidance on particular jurisdictions, we can assist you in getting that guidance through our worldwide network of data protection experts.