Ask
What services do you offer? What offices do you have? Tell me more about Weightmans
Hero Backdrop

Guide to the General Data Protection Regulations (GDPR)

The law in relation to data protection has been governed by the Data Protection Act 1998. This will remain in force until 25th May 2018 (“the implementation date”) when it will be replaced by the GDPR. If you require further information on the existing law, please see our guide to the Data Protection Act.

The GDPR is EU legislation that will come into effect across the entire EU on the implementation date. It will have direct effect in all member states and does not require domestic legislation. This is before the UK’s departure from the EU and the GDPR will be the relevant law within the UK from the implementation date.

The GDPR will comprehensively reform the data protection law. Although many of the existing legal concepts under existing data protection law will remain, the GDPR will make significant changes, including:

  • Approaches to data and restrictions on processing
  • Expanding rights for data subjects
  • And significantly increase sanctions

The GDPR will apply to the processing of data relating to employees within the EU. This will include information about employees that is held outside the EU. This may occur if an  HR database is located outside an EU country.

What will happen after Brexit?

On 7th August 2017 the UK government published a Statement of Intent setting out the governments proposals after the UK has left the EU. This will involve presenting a Data Protection Bill to Parliament setting out the law relating to data protection post Brexit. The intention is that the Bill will duplicate the provisions of the GDPR into UK law.

This is significant for UK businesses which operate within Europe and share data across borders. The GDPR requires anyone handling a European’s data anywhere in the world to abide by its regulations. The legislation will allow British businesses to exchange and handle data with European partners without restriction.

Overview

Many of the basic principles of data protection law will remain essentially unchanged under the GDPR. As with previous legislation, the GDPR will apply to "personal data", this is information that relates to an identifiable person. This includes information in an employee's personnel file, information held on HR systems, information contained in emails and information obtained through employee monitoring.

 The GDPR regulates the "processing" of personal data. This includes the collection, storage, use, alteration, disclosure and destruction of information. The GDPR applies to controllers and processors of data.

 A data controller is a person who collects, stores and processes  personal data.

A data processor is any person (other than an employee of the Data Controller) who processes data on behalf of the Data Controller.

Individuals about whom the data relates are "data subjects".

Article 5 GDPR sets out the principles for data processing. Data must be:

  • Processed lawfully, fairly and in a transparent manner in relation to the data subject ('lawfulness, fairness and transparency')
  • Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with article 89(1), not be considered to be incompatible with the initial purposes ('purpose limitation')
  • Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ('data minimisation')
  • Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay ('accuracy')
  • Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with article 89(1) subject to implementation of the appropriate technical and organisational measures required by this regulation in order to safeguard the rights and freedoms of the data subject ('storage limitation')
  • Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality')

Special Categories of personal Data/Sensitive Personal Data

The GDPR replaces sensitive personal data with “special categories of personal data”. This specifically includes genetic and biometric data as well as data regarding racial or ethnic origins, political opinions, religious or philosophical beliefs, trade union membership, health, sex life and sexual orientation. Data relating to criminal convictions and offences is treated separately by the GDPR.

Accountability Principle

Article 5(2) requires that “the controller shall be responsible for, and be able to demonstrate, compliance with the principles of GDPR (“accountability principle”).”

This is one of the most significant changes introduced by the GDPR. Employers are required to demonstrate that they comply with the data protection principles. Employers are required to keep extensive internal records of data processing operations. These must be available to be produced for inspection by the ICO.

For organisations with fewer than 250 employees, the requirements are less onerous. In these circumstances, the employer is required to maintain records of activities related to higher risk processing, such as:

  • Processing personal data that could result in a risk to the rights and freedoms of individual; or
  • Processing of special categories of data or criminal convictions and offences.

Larger employers should keep an up-to-date written record containing information about all personal data processed by the organisation, including:

  • the purposes for which the data is processed;
  • a description of the categories of data subjects and the categories of personal data, including if the data is sensitive personal data:
    • The categories of recipients of the data;
    • Any transfer of the data outside the eea;
    • The anticipated periods of storage for the different categories of data; and
    • The technical and organisational security measures used to safeguard the data.

Employers should also:

  • Implement appropriate technical and organisational measures that ensure and demonstrate that you comply. This may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies
  • Use data protection impact assessments where appropriate
  • Adhere to approved codes of conduct and/or certification schemes

Records of processing activities

In addition to the obligation to provide comprehensive, clear and transparent privacy policies, organisations that have more than 250 employees, must maintain additional internal records of processing activities. There are some similarities with ‘registrable particulars’ under the DPA which must be notified to the Information Commissioners Office (ICO). This includes:

  • Name and details of your organisation (and where applicable, of other controllers, your representative and data protection officer)
  • Purposes of the processing
  • Description of the categories of individuals and categories of personal data
  • Categories of recipients of personal data
  • Details of transfers to third countries including documentation of the transfer mechanism safeguards in place
  • Retention schedules
  • Description of technical and organisational security measures

If your organisation has fewer than 250 employees you are required to maintain records of activities related to higher risk processing, such as:

  • Processing personal data that could result in a risk to the rights and freedoms of individual; or
  • Processing of special categories of data or criminal convictions and offences

Data Protection Officers (DPO)

Under the GDPR, employers must appoint a data protection officer (DPO) if where it:

  • Is a public authority (except for courts acting in their judicial capacity)
  • Carries out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
  • Carries out large scale processing of special categories of data or data relating to criminal convictions and offences

A single data protection officer to act for a group of companies or for a group of public authorities, taking into account their structure and size.

The DPO’s minimum tasks are defined in Article 39:

  • To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws
  • To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits
  • To be the first point of contact for supervisory authorities and for individuals whose data is processed

Data Subject Rights

Processing by consent

The GDPR introduces stricter requirements relating to employees consenting to the processing of data. Many employers include a broad consent to the processing of data in employment contracts. These will no longer be valid. The GDPR require that consent must be "freely given, informed, specific and explicit". If a data controller obtains consent in a written declaration that also concerns other matters, the request for consent must be presented in a manner that is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.

Legal basis for processing

The GDPR require that consent be freely given. This may mean that the validity of any consent given could be challenged because of the imbalance of power between employer and employee. This means that employers will need to have a greater understanding of legal basis for processing personal data under the GDPR.

Employers will need to rely on grounds other than consent, including that processing is necessary for:

  • Compliance with a legal obligation
  • The performance of a contract; or
  • The purposes of the legitimate interests of the employer or a third party

Examples of this type of processing include:

  • Where employers process employee data for tax or reporting purposesor
  • To provide statutory employment entitlements such as annual leave, maternity pay or sick pay

These are cases when the employer would be able to rely on the ground that processing is necessary to comply with a legal obligation.

Another example could be when an employer processes employee data to fulfil fundamental contractual obligations such as paying employees or monitoring employee attendance. In this case the employer can rely on the ground that processing is necessary for the performance of a contract.

Breach Notification

Employers discovering a personal data breach must notify the ICO where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach.

Data processors will also be required to notify their customers (the data controller), “without undue delay” after first becoming aware of a data breach.

Right of Access

Data subjects will be able to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format.

Right to be Forgotten

The right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure include the data no longer being relevant to original purposes for processing, or a data subject withdrawing consent. It should also be noted that this right requires controllers to compare the subjects' rights to "the public interest in the availability of the data" when considering such requests.

Data Portability

This is the right for a data subject to receive the personal data concerning them, which they have previously provided in a 'commonly used and machine readable format' and have the right to transmit that data to another controller.

Information for Employees and Job Applicants

The GDPR will be require employers  to provide more detailed information about the processing of their personal data to employees and job applicants than under the Data Protection Act 1998. Employers commonly provide the information through information notices, also known as privacy notices or fair processing notices. Under the GDPR, information that employers must provide includes:

  • the identity and contact details of the employer as a data controller
  • the data protection officer's (DPO) contact details (if the organisation has a DPO)
  • the purposes for which the data will be processed and the legal bases for processing, including, if relevant, the legitimate interests relied on
  • the categories of personal data to be processed
  • the recipients of the data
  • any transfer of the data outside the European Economic Area (EEA)
  • the period of storage
  • the rights of data subjects, including the right to access, rectify and require erasure of data, the ability to withdraw consent or to object to processing, and the right to lodge a complaint with the supervisory authority
  • the consequences for the data subject of failing to provide data necessary to enter into a contract; and
  • the existence of any automated decision-making and profiling, and the consequences for the data subject.

Employers must provide the information at the point of data collection. Where an employer wishes to process existing data for a new purpose, it must inform employees or job applicants of that further processing.

Data subject access requests

 The Data Protection Act 1998 gives individuals the right to obtain from their employer (or former employer):

  • Confirmation as to whether or not their personal data is being processed
  • Information on their data, including the purpose of processing, categories of data collected and the recipients of such data; and
  • A copy of the data being processed

The subject access right is broadly similar under the GDPR, however, the employer will be required to provide the following additional information:

  • The envisaged period of storage
  • Details of the rights to have data erased, the right to restrict processing and the right to object to processing; and
  • The safeguards applied on a third country transfer of data

Under the GDPR, employers must provide the requested information without undue delay, at the latest within one month of the request (three months in the case of complex requests). This replaces the current 40 day period.

The present charge of £10 is abolished. No charge can be levied unless the request is “manifestly unfounded or excessive”. In these circumstances the employer may charge a “reasonable fee. This can take into account administrative costs. In cases of manifestly unfounded or excessive requests the employer may refuse to act on the request altogether. The GDPR imposes wider obligations on employers to act with transparency, with particular emphasis placed on the clarity, transparency and accessibility of such systems. When responding to a subject access request, employers will need to explain how they have approached it.

Privacy by Design

Privacy by design requires that when designing systems data protection should be taken into account from the beginning of the design process and data protection risks should be taken into account throughout the process of designing and operating a policy, process, product or service. 'The controller shall.. implement appropriate technical and organisational measures.. in an effective way.. in order to meet the requirements of this Regulation and protect the rights of data subjects'.

Employers are required to put mechanisms in place within their organisation to ensure that only personal data necessary for each specific purpose is processed. To do this the employer should ensure that :

  • Only the minimum amount of personal data is collected and processed for a specific purpose
  • The extent of processing is limited to that necessary for each purpose
  • Personal data is stored for no longer than necessary; and
  • Access to the data is restricted to that necessary for each purpose

Sanctions for the Breach of GDPR

The GDPR introduces a much stricter compliance regime, with severe penalties.

The following sanctions can be imposed:

  • A warning in writing in cases of first and non-intentional non-compliance
  • Regular periodic data protection audits
  • A fine up to 10 million euro or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater (article 83, paragraph 4[18])
  • A fine up to 20 million euro or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater (article 83, paragraph 5 & 6[18])

The GDPR also makes it easier for individuals to bring private claims against data controllers, including past and present employers. Any person who has suffered damage due to a breach has the right to receive compensation, including for distress and hurt feelings even where there is no financial loss. Data subjects can mandate an association to bring claims on their behalf, which may make employee group actions through a trade union more likely.

What should you do?

You should carry out the following steps before the implementation date:

  • Review all your documentation relating to Data Protection to ensure that it complies with GDPR
  • Prepare for data protection breaches. You should have clear policies to deal with this and to ensure that breaches are reported to the regulator within 72 hours
  • Review your documentation relating to an employee consenting to the processing of data. This must be in clear plain English and should demonstrate that consent is freely given
  • Have a process in place to enable employees to withdraw consent
  • Review your procedures for dealing with subject access requests
  • Review your policies and privacy notices to ensure that are compliant with the GDPR
  • Consider whether you have to appoint a DPO

If you need further guidance, please contact your HR Rely adviser.