The General Data Protection Regulation (GDPR) will be implemented by May 2018 and will have a significant impact on how businesses manage the personal data of their employees. We have assessed a number of the implications for our clients from an employment law perspective and have made some recommendations below.
Processing employee data
GDPR, like the current data protection legislation, permits employers to collect and use data relating to individual employees only if there is a lawful basis for doing so.
Processing personal data in order to perform obligations under the employment contract, or for the purpose of other legitimate interests, or in order to comply with a legal duty imposed on the employer in connection with employment law are all permitted in principle. The processing of personal data with the consent of affected individuals is also permitted by the current Data Protection Act and by the GDPR.
To address the need for a lawful basis of processing, it is very common for UK employers to include a data protection clause in employment contracts whereby the employee is required to consent to the employer's use of their personal data. However, while there is doubt over the extent to which consent can be relied on in the employment context under current data protection rules, GDPR contains more detailed and strict consent provisions which employers should be aware of. In particular:
Subject Access Requests (SARs)
In many ways the GDPR enhances employee rights to access personal data held by their employers; GDPR entitles them to more detailed information regarding the way in which their data are processed, reduces the time limits for the employers response, abolishes the current £10 fee for responding to a SAR and requires employers to give reasons for any refusal to comply. Employers may, however, take some comfort from the fact that, where requests are particularly complex, time for compliance may be extended for up to 3 months. If requests are manifestly unfounded or excessive, employers are entitled to charge a reasonable fee (taking into account the administrative costs of providing the information) or to refuse to act on the request altogether. It is likely that the ICO will publish guidance in due course to give an indication of what sorts of requests could be viewed as 'complex', 'manifestly unfounded' or 'excessive'. Where an employer intends to delay the response or refuses to respond to a request, the employer must write promptly to the individual within the month explaining this and informing requesters of rights to complain to the ICO or to seek a remedy in the courts.
An additional consideration for employers is that GDPR confers a new right of 'data portability' which applies to data supplied by an individual and then processed, either with a view to entering into a contract with him or her or in order to comply with a contractual duty owed to him or her. This right of data portability is likely to apply not only to personal data supplied directly by employees (e.g. during recruitment or on-boarding) but also to 'observed data' i.e. data collected by the employer as a direct result of its observation of employee activity (e.g. time and attendance data). Where the right applies, employees are entitled on request to receive their data in a structured commonly used and machine-readable format (i.e. a data format that can be automatically read and processed by a computer, for example CSV, JSON and XML data formats but excluding PDF documents and scanned images) and to have the data transferred to other organisations.
In order to prepare for compliance with the GDPR, employers should take steps now to: