News

..with you every step of the way!

news


25/07/2017

A close up on the GDPR

The General Data Protection Regulation (GDPR) comes into force on 25th May 2018. It is from the EU, but will come into force before Brexit takes effect and so it will apply to us. The need for change comes from the way in which data is now published and shared for example online and on social media where data easily crosses national boundaries. UK businesses and organisations will still be subject to GDPR or an equivalent version of it post-Brexit if they monitor the behaviour of, or offer goods and services to, citizens in the EU from the UK.

The Information Commissioner’s Office (ICO) has issued draft guidance in connection with the GDPR, but we await the final form of this.

What will stay the same?

The good news is that the GDPR retains the core rules and principles that we have in the Data Protection Act 1998 (DPA) and so a lot of it will be familiar to us. You may remember that the eight principles for processing personal data under the DPA are that personal data must be:

  • Processed fairly and lawfully.
  • Processed for limited purposes and in an appropriate way.
  • Adequate, relevant and not excessive for the purpose.
  • Accurate
  • Not kept longer than necessary for the purpose.
  • Processed in line with data subjects' rights.
  • Secure.
  • Not transferred to people or organisations situated in countries without adequate protection.

What is new?

Accountability and financial penalties – businesses will need to demonstrate that they have complied with the GDPR by keeping accurate records and may face significant fines for data breaches (up to 20million euros or 4% of annual worldwide turnover, whichever is greater). Individuals will also be able to claim financial compensation for data breaches where they result in financial loss or distress.

Consent – it has always been important to obtain consent from individuals before processing their personal data, but under the GDPR consent will be harder to get. Consent may be withdrawn at any time. More on this below…

Data Protection Officers – many businesses will be required to formally appoint a Data Protection Officer, that person having their own duties to perform.

Rights for individuals:

  • Individuals will still have a right to make a Subject Access Request, but the time for compliance is reduced from 40 days to 30 days and the right to charge a £10 administration fee is abolished.
  • Individuals will have a right to have data erased, which you may have heard of as “the right to be forgotten”. More on this below…
  • Individuals will also be able to claim financial compensation for data breaches where they result in financial loss or distress.

Processing personal data

Please note that you do not always need consent in order to process personal data. Obtaining consent is one lawful basis for processing but there are five others. You only need consent when one of the other five lawful bases do not apply.

The lawful bases for processing personal data are:

  • It is a necessary part of fulfilling a contract with the individual – this means that you do not need consent to collect, hold and process personal data that you need in order to meet your obligations under an employment contract.
  • Compliance with a legal obligation.
  • Protecting someone’s life.
  • Fulfilling an official public function or task.
  • In the private sector only, if there is a genuine and legitimate reason to process the personal data that outweighs any potential harm to the individual in question.
  • Consent from the individual.

Do you need consent as an employer?

You need to consider whether the personal data that you are collecting, holding and processing in connection with your employees is necessary for meeting your obligations under your contract of employment with them.

It will be necessary for you to collect their full name and address, date of birth and national insurance number. It is likely to be necessary for you to collect information about their health e.g. through self-certification forms and fit notes, accident books.

It may be necessary to collect their personal email address as a means of communication, bank details as a means to arrange payment to them, etc.

It is unlikely to be necessary to monitor their use of email or internet, install a tracker in their company vehicle or capture images of them on CCTV. This form of monitoring has been looked at within the Employment Tribunals and in the context of a right to privacy. It is necessary to inform the individual what monitoring will be carried out, how and why. You must have genuine and legitimate reason for carrying out the monitoring and this must not be outweighed by the potential detriment to the individual.

It is unlikely to be necessary or appropriate for you to collect information about their sexual orientation, political beliefs, religion, etc. If you do collect such information for the purposes of equal opportunities monitoring you must make sure that you use an anonymous system so that the data collected is not attributable to a particular individual.

It will not be necessary for you to collect, hold or process personal data other than to meet your obligations under the contract of employment. For example, it will not be necessary for you to collect their personal email address for the purposes of marketing goods and services to them.

Although you don’t need consent, you should still inform your employees of what personal data you are collecting, holding and processing, why you are doing it and who you are sharing that personal data with. It is likely to remain good practice to include a statement about this within a contract of employment so that you can demonstrate that the information was given to the employee and that they signed to confirm receipt (if not consent).

If you do need to obtain consent…

There will be specific occasions on which you need to obtain consent because the collecting, holding and processing of personal data is not strictly necessary for meeting your obligations under the contract of employment. For example, if you want to write to an employee’s GP about their health or if you want to carry out monitoring of employee’s internet and email usage and cannot show that there is a genuine and legitimate reason for carrying out the monitoring and this must not be outweighed by the potential detriment to the individual.

The GDPR requires a higher standard of consent than we are used to. Previously an individual had to give their free agreement to personal data being processed. Now, that consent must also be unambiguous and given by way of a statement or clear affirmative action. This means that it will not be acceptable to automatically assume consent and ask people to opt out – as you may have been in terms and conditions or when using online services e.g. where you tick to opt out of receiving marketing. Instead, you will have to ask people to proactively “opt in” to give their consent.

When asking for consent, you will need to make clear what the consent is for (e.g. what personal data you will be collecting and processing, and why) and also who you will share the personal data with, being very specific as to the identities of such potential recipients. You will need to record the consent. An umbrella consent form that requires consent to a broad range of data collection and processing may not be acceptable and you should consider whether you can break the consent down into various components.

You must also inform the individual how they can withdraw their consent and that they can do this at any time. Remember that the individual can withdraw their consent to personal data being processed going forwards, but also ask to be forgotten.

Generally, any consent being requested is to be obtained separately from any sign up to other terms and conditions so that provision of a service is not seen as being dependent upon the person agreeing to share their data in the ways that you wish.

The Right to be Forgotten

Employees will have a right to request that personal data is erased. This will apply only where:

  • The processing of personal data is no longer necessary in relation to the purposes for which it was collected or processed.
  • The personal data has been unlawfully processed.
  • The individual has objected to the personal data being processed and the employer cannot show that they have an overriding legitimate reason for continuing.

What should you do now?

The GDPR comes into force in May 2018, but there is a lot to do between now and then. You may need to:

  • Identify what personal data you hold and determine whether you need to hold or process it.
  • If you do need to hold or process that personal data, make sure you understand what it is, why you need it, how you hold and process it, and how you keep it secure.
  • Evaluate who has access to that personal data internally.
  • Evaluate who you share that personal data with externally and consider whether you need separate agreements in place to secure that personal data.
  • Check that your data protection policies make clear:
    • what personal data will be collected, held and processed and why;
    • who has access to personal data and who you will share personal data with;
    • whether personal data will be sent outside of the EU and the legal basis for this;
    • how personal data will be stored and processed;
    • how long personal data will be stored for;
    • how personal data will be kept secure;
    • the individual’s right to make a subject access request, correct inaccurate personal data and request to be forgotten;
    • the right to object to processing personal data if the employee’s particular situation requires it;
    • the right to withdraw consent to processing personal data – where you are relying on consent instead of the personal data being necessary to meet your obligations under the contract of employment;
    • the right to complain to the Information Commissioner’s Office.
  • Include a data protection statement in your contracts of employment.
  • Conduct impact assessments on your existing technologies and any new technologies to be adopted.
  • Appoint a Data Protection Officer (if necessary for your organisation).