The EU General Data Protection Regulation ("GDPR") applied from 25th May 2018. It is the most significant change to data protection law in a generation and represents the pinnacle of changing global norms around privacy and the use of personal data. Many countries around the world have since introduced their own frameworks designed to keep pace with the GDPR.

The GDPR introduced broader territorial scope, as well as a suite of heightened requirements and authority for regulators to issue unprecedented fines. As a result, employers who process the personal data of their EU-based employees will face considerable risks. But as other countries start to follow suit, the GDPR also offers organisations new promise: complying with the GDPR can serve as the springboard for the wider world.

The highlights of GDPR include (among others):

  1. Expansive definition of personal data: Personal data is defined widely to include any information that could reasonably be used to identify an individual. It's not just names and contact details, but also online identifiers, photos and behavioural traits and any other information that can be used to single someone out or take decisions affecting him or her.
  2. Extended territorial scope: The GDPR applies to employers in the EU as well as parent companies outside the EU where they process personal data providing services to employees, workers or contractors in the EU, or who monitor their behaviour. This means that virtually any organisation with workers based in the EU could be subject to the GDPR.
  3. Expansive enforcement powers: Employers could face sanctions such as fines from regulators up to the higher of 4% of the organisation’s worldwide annual revenue or €20 million. The GDPR also permits individuals to bring actions for compensation and introduces group actions to the EU for data protection violations.
  4. Heightened individual rights: Individuals – whether employees, workers or independent contractors – have a number of rights under the GDPR. Some of these rights are existing rights that were created under previous data protection legislation but which have been strengthened, such as the right to obtain a copy of personal data. Other rights are new, such as the right to 'port' the data to a different organisation, which are perhaps less relevant in the employment context.
  5. Changes to the definition of consent: Consent is much more challenging, particularly in the employment context. Generally, to obtain valid consent from an individual, an organisation must ensure that the consent is granular, can easily be withdrawn and is not “take it or leave it”. Where possible, employers should avoid seeking to rely on consent unless no other applicable grounds apply.. Particularly in the employer-employee relationship, it would be difficult to demonstrate that the consent was freely-given.
  6. New accountability requirements: Under the GDPR, employers must implement data protection as a core element of the design of any product or service. This means adopting technical tools, such as encryption, where feasible, as well as broader organisational measures, such as appointing a data protection officer (where certain thresholds are met), conducting privacy risk assessments (known as "data protection impact assessments" for high risk activities, and keeping detailed records of processing activities that can be made available to regulators (unless exemptions apply). Employers also need to consider how they will address data protection in their contracts with service providers and business partners that process employee data.
  7. Data breach notification: For the first time, personal data breach notification will apply to most sectors across the EU. Notably, the GDPR adopts a low threshold for what constitutes a breach and personal data breaches must be reported to competent regulators, without undue delay and where feasible within 72 hours.
  8. Harmonisation across the EU: In taking the form of a regulation, rather than a directive, the GDPR eliminates many of the country-specific requirements that exist under the current regime. However, some local variations will continue to persist in certain areas such as employment.

Addressing the risks posed by the GDPR requires a case-by-case assessment of the friction points for each organisation. There is no one-size-fits-all solution. To address the significant risks posed by GDPR enforcement, we recommend that employers understand how they collect, use and store personal data of their workforce. Only then can an employer implement tailored solutions.

FAQs

1. GDPR is only meant to apply to social media companies, so I don't need to worry about it, right?

Not correct. The GDPR affects businesses whether or not they consider themselves to be data-centric, and its application is guided not by the business of the employer but the information and data processing activities carried out. 

Every organisation is likely to handle the personal data of its employees, even start-ups. Think of the data you collect about applicants, employees, contingent workers and independent contractors – all of this will include personal data. It is also worth noting the level and volume of personal data per employee / applicant that your business holds; many businesses are likely to have fewer employees than customers or clients, but are likely to hold far more personal data per employee or applicant, which means there are clear risks around failures to compliantly process staff and applicant data.

2. Does the GDPR mean I need to ask consent for everything?

Absolutely not, particularly in the employment context.

Consent is only one so-called 'legal basis' for processing personal data. There are others too. The GDPR permits you to process personal data for instance where it is necessary for the performance of a contract (such as paying an employee's salary or providing benefits where you have contractually committed to doing so), or when required by law. You can also process personal data when it is in your (or a third-party's) legitimate interests to do so. Where another legal basis validly applies in respect of a particular processing activity, you don't need the individual's consent to process it in that way.

Where you are handling sensitive personal data (including race, ethnicity, political opinions, religious or philosophical beliefs, health, sexual orientation, trade union member or genetic or biometric data), you will need to take additional steps to ensure you can process the information compliantly. When processing such information, depending on the purposes, you may well have other legal bases for processing, such as compliance with employment law meaning you won't need the individual's consent to process such data.

To rely on legitimate interests as grounds for valid processing, you need to carefully assess whether your interests outweigh the privacy risks to employees, workers, applicants etc. This means that your focus should be on designing your systems in ways that reduce risks, such as by reducing your collection of data to only what you need and using privacy-enhancing techniques, like hashing or encryption whenever possible. You must also offer users the option to opt-out if they do not want to participate (unless you are able to demonstrate compelling legitimate grounds).

Obtaining valid consent under GDPR is very difficult, especially for employers. Consent needs to be specific, informed, freely-given and active – the ICO has made clear that it doesn’t consider consent can be freely-given in the context of the employment relationship. In other words, it must be opt-in and a genuine choice. In addition, consent can be withdrawn at any time and workers must be given the opportunity to do so. For this reason, consent is usually a last resort for employers, when no other basis is available or when the law specifically requires it. General or catch-all consent clauses in employment contracts will not meet the requirements for valid consent and should not be used as a fallback as they may also undermine any other, legitimate bases for processing.

As a final point, consent is not the same thing as transparency or notice. With very few exceptions, the GDPR will require you to provide your workers and applicants with information about how you process their personal data (i.e. a privacy notice). This information needs to be clearly presented so that curious individuals can understand how their personal data is handled.

3. I've heard of the 'right to be forgotten'. Does this mean I need to be able to delete all data on request?

Thankfully, no. It's true that the GDPR provides individuals a right to request that you delete their personal data, but the right does not apply to all the data you hold. This is in part why working out your legal basis is so important: if you're legally required to continue to hold the data – which is often the case in the employment context – then you do not need to delete it. Equally, if you're relying on the legitimate interests ground for processing and you can show that those interests are sufficiently compelling to override the request, then you do not need to delete the data.

However, if you asked for consent and the individual later revokes it, you usually would need to delete the data too. Data that is inaccurate, out of date or not needed for the purpose it was collected would always need to be deleted on request.

4. Complying with GDPR is really hard. Can't I just wait until we're bigger?

As they say, there's only one way to eat an elephant: one bite at a time. You're better off getting started when your company is young for several reasons. Firstly, employees expect that you will comply. If you don't meet the basics, you'll lose out on great talent. Secondly, it's easier to start when you're small and build the foundation. The basics of compliance are actually not that hard for start-ups because you will have a smaller workforce. Bigger and older companies have a heavier lift because they need to go back and work out what data they hold on their workers, where it is stored and how it is used. Thirdly, regulators are less concerned with the size of an organisation than with the privacy risks it can cause for individuals.

Just because you should get started, does not mean you should strive for perfect compliance on day one. Look for 'quick wins' that will allow you to showcase your efforts – for example, by updating your employee-facing privacy notices and contracts with benefits providers. Another great place to start is to identify and record all the types of data you collect so you can begin to understand whether all of it is needed.

5. An applicant just asked for all their data – can they do that?

Applicants, employees and other staff members have the right under Article 15 of the GDPR to ask for access to personal data that you hold or otherwise process about them. They can make a request in any format – in writing, in person, by telephone and so on.

Once the request has been made, you will have 1 calendar month from the date of receipt to respond, including providing the information sought, unless there are grounds for an extension of up to two months (not getting on with dealing with a request is not an acceptable ground for applying an extension). 

It is important to identify a request early on and then identify the information you are being asked for and the steps you will need to take to locate this information and to respond to the individual. You may need to take further steps to understand what information the worker or applicant is asking for, and should do so as soon as possible. If you think there are grounds for extending the deadline for responses, you will also need to inform the individual as soon as possible.

There are some limits to what must be provided – the individual will only be entitled to their personal information, and you won't be required to disclose legal advice, for example, and appropriate advice should be sought if you are uncertain.