The GDPR – What Employers Need to Know Now
The right to the protection of data is not an absolute right; it must be balanced against other fundamental rights. This includes the freedom to conduct business.
There is an increased emphasis on the principle of transparency. This requires that individuals understand that personal data concerning them is collected, used, consulted or otherwise processed and to what extend the personal data are or will be processed.
Any information and communication relating to the processing of those personal data must be easily accessible and easy to understand. Clear and plain language must be used.
Data controllers must be able to demonstrate their compliance with the principles.
The GDPR increases the amount of information which must be provided to individuals. Currently organisations have an obligation to provide the name of the data controller, the purpose for which data is to be processed and such further information as is necessary to enable processing to be fair. Under the GDPR data controllers must also provide individuals with the legal basis for processing the data and, if the processing of data is based on a legitimate interest, details of that interest.
Data controllers will have to keep an internal record in relation to all personal data they process. If the organisation has more than 250 employees it has additional record keeping requirements.
Before processing data, organisations must have already identified the lawful basis for the processing and any legitimate interest. It must also know in advance how long it intends to store the data and what measures it has in place to ensure the data cannot be stored accidentally for a longer period as well as considering what technical and organisational security measures are in place to keep the data protected.
These additional burdens on employers do actually present an opportunity for them to shape the scope of data protection in their workforce. This is because some rights of data subjects will depend on the lawful basis relied upon by the employer. If employer is relying on consent (as most do currently), the individual will generally have stronger rights, for example, to have their data deleted.
Providing information to the data subject in advance is what gives the employer power to decide what processing of data is taking place and consequently the power to define an employee’s private space.
It is necessary to carry out a Privacy Impact Assessment when carrying out high risk processing.
Employers cannot reduce their employees’ private life to zero.
If relying on consent to process data, that consent must be freely given, specific and unambiguous. It must be demonstrated by a statement or by affirmative action. Consent cannot be incorporated into a contract of employment. It must be in a separate document. We advise employers to either get their employees to sign new consents or choose not to use consent as the lawful basis for processing. Better not to rely on consent. Instead identify the lawful basis of the processing. Necessary for performance of employment contract? Necessary for legitimate business interests (although this can be overridden if it has a disproportionate adverse impact on the employees)?
It will no longer be possible for the data controller to charge an admin. fee for providing data pursuant to a Data Subject Access Request. Also, data must be provided promptly and no later than one month from the request. IMPORTANTLY there will no longer be any limitation on the purpose for which an individual can make a request. Currently, employers can refuse requests if it appears that the DSAR is an attempt by the employee to gain pre-action disclosure of documents in view of impending litigation. That will no longer be allowed.
Consequences of breaches are enormous. Huge fines of up to 4% of global annual turnover or 20 million Euros, whichever is the greater sum. It will also be a criminal offence if the data controller destroys data in order to prevent the data subject receiving that data. The data subject will be entitled to compensation even if no actual financial loss. Mere distress will be sufficient.
GDPR introduces a new right to portability. The right arises where personal data was provided to a controller by the data subject and where the processing is based on the individual’s consent or for the performance of a contract, and when processing is carried out by automated means. Individuals will have a right to obtain and reuse their personal data for their own purposes. Employers will have to provide this data in a structured, commonly used and machine-readable format and may have to pass it directly to other data controllers.
The GDPR must be considered during recruitment as well as once employees join the company.