GDPR: What do EMPLOYERS NEED to know...?

You probably know by now that the General Data Protection Regulation (GDPR) is coming into force on 25 May 2018.  There is not the space here to review all of the changes, but what follows is an overview of some of the key issues that employers and HR directors should be doing…..

  • Organisations should determine and document their legal basis for processing personal data.  Aside from consent, other grounds of justification for processing data include where this is necessary for the performance of a contract with the individual or to comply with a legal obligation.
  • A new standard for consent is to be introduced which restricts the use of consent as a justification for processing data.  Consent must be freely given, specific, informed and unambiguous: silence, pre-ticked boxes or inactivity will not amount to consent.
  • ‘Sensitive personal data’ under the Data Protection Act will be given the snappy new title ‘special categories of personal data’.  As before, additional criteria will need to be met for processing of this data to be lawful.
  • There will be important changes to rules around privacy notices explaining how and why data is processed.  Information provided to individuals must be concise, transparent and freely accessible. Businesses should start reviewing their employment contracts and staff handbooks in order to ensure that these will comply with the new requirements.
  • The introduction of safeguards around automated decision-making and profiling where decisions are taken without human input.  Unless the decision is necessary for performance of a contract with the individual, authorised by law or with specific consent, individuals have the right not to be subject to a decision when it is based on automated processing where this produces a legal or similarly significant effect.  Explicit consent will be crucial for employers and recruitment agencies where automated decision making is used in relation to say recruitment, performance management or promotion decisions.
  • A new ‘accountability’ requirement under which employers will have to demonstrate compliance and keep written records of processing activities.  This will involve implementing measures such as training and reviewing internal HR and data protection policies, data minimisation, and may include pseudonymisation and allowing individuals to monitor processing. 
  • As before, individuals will have the right to make a Data Subject Access Request (DSAR) but there are also key differences:
  • Employers will no longer be able to charge the usual £10 fee for responding to a DSAR, but they will be able to charge a ‘reasonable fee’ based on the administrative cost of providing the information when the request is manifestly unfounded or excessive or when complying requests for additional copies of the same information.
  • Information should be provided ‘without delay’ and at the latest one month after the request.  This can be extended by a further two months if requests are complex or numerous.  The employer will need to explain to the individual why the extension is necessary.
  • The Information Commissioners Office (ICO) has published a practical checklist outlining twelve steps to take prepare for the GDPR.  These include documenting the information held, where it came from and with whom it is shared, a data mapping exercise, reviewing privacy notices, checking policies and procedures and reviewing the legal basis for the different types of processing.  The ICO has updated its guidance in key areas including its Privacy notices code of practice and has published draft guidance on consent.
Although correct at the time of publication, the contents of this article are intended for general information purposes only and shall not be deemed to be, or constitute legal advice. We cannot accept responsibility for any loss as a result of acts or omissions taken in respect of this article. Please contact us for the latest legal position.