GDPR (GENERAL DATA PROTECTION REGULATION) AND HR COMPLIANCE
he new EU General Data Protection Regulation (GDPR) came into force on 25 May 2018. Below is a series of articles providing practical steps to help you to ensure that your HR function is GDPR compliant. We will continue to add information beyond the implementation date, so bookmark this page and continue to check back.
The amount of data available and the way it is shared and processed has changed significantly since the Data Protection Act was introduced in 1998. Technology has continued to develop, but so too has knowledge of (and attitudes to) data privacy and protection. Just as the general public have become more interested in who holds data about them, where it is held, for what purpose, for how long it will be held, and indeed who owns the data, so have many employees. The General Data Protection Regulations seek to provide a framework to regulate this. In addition to reinforcing existing provisions the GDPR also introduces new concepts, from the so-called ‘right to be forgotten’ to the ‘right to restrict processing’.
In short, the new regulation provides that data must be processed ‘lawfully, fairly and in a transparent manner’. It also provides that processing must be limited to what is ‘necessary’.
What can I do to ensure our HR function is GDPR ready?
Many businesses already have their preparations to comply with the new regime either in place or, at the least, well in hand. This blog provides a methodology which can help you to ensure that your HR function is compliant.
This first step in doing so is to understand what categories of personal data you held, where you hold it, and how it moves into, through and out of your organisation. This simplest way of doing this is by creating a ‘data map’ so that you know what you are dealing with. We will deal with this in ‘Step 1’. As the GDPR provides that data must be processed ‘lawfully, fairly and in a transparent manner’ we will look at that in the second step of this blog (below).
STEP 1 – DATA MAPPING, DATA PROCESSING AND INDIVIDUAL CONSENT
Is data mapping an obligation under GDPR?
In short, no. However, Article 30 of the General Data Protection Regulation provides that organisations must maintain a record of processing activities. While the GDPR does not make provision for how that must be done, it is generally accepted that ‘data mapping’ may be an effective first step in a comprehensive methodology to both check and prove your compliance and therefore to improve data protection and data privacy. If carried out carefully your ‘mapping exercise’ will help you to establish the nature and scope of the personal data being processed across your HR function.
Is ‘personal data’ the same under GDPR as under the old Data Protection Act?
Not exactly. The scope of ‘personal data’ under the GDPR will change to include information relating to an identified or an ‘identifiable’ natural person. For these purposes, if a person is ‘identifiable’ by reference to an identification number, location data or to an online identifier, this data will be covered. In some context this means GDPR may ‘catch’ information such as an employee’s payroll number, tracking data (for delivery drivers for example) or usernames/log-ins for computer access. In addition, ‘personal data’ will also include what is currently known as sensitive personal data, though even this will be expanded to cover genetic and biometric data.
What other factors should be considered as part of the ‘mapping exercise’?
Factors to consider in a GDPR mapping exercise include the categories of data held by HR held about different individuals (job applicants, agency workers, employees, leavers etc), the sources of that data, where and how it is held and the identity of those it is shared with. Don’t forget to include external providers such as payroll and pensions administrators (on which, see below). Keep a record of the exercise you undertake and keep it under review. In addition to the above, you should also identify any internal HR policies and practices which involve the control and processing of data. Don’t forget to review other potentially relevant areas such as induction and leaver arrangements, pre-employment health questionnaires and insurance.
Template documentation including letters and contracts should also be reviewed, particularly ‘consent’ provisions in contracts of employment which are likely to need reviewing and/or updating.
Okay, I’ve mapped the data. What next?
Once you have undertaken your GDPR data mapping exercise you must then consider (and record that consideration) as to whether you have a lawful reason (known as a ‘lawful basis’) to process each category of data you have identified. For an HR function, obvious lawful reasons might be some obligation set out in a contract, or some other legal obligation (such as providing information to HMRC or even keeping records of working time). Another lawful reason might be that such processing is necessary for your legitimate interests (the guidance describes this option as ‘flexible’ but one applied where data is processed in a way in which the impact is minimal). Additional conditions for processing will apply to ‘special categories of data’, most likely that the processing is ‘necessary to carry out obligations and exercise rights in the context of employment law’. Wherever you get to on this, you should both keep a record of your analysis and keep that under review.
Where we do not appear to have a lawful reason for processing particular data, what should we do?
Where you do not have a ‘lawful basis’ for processing data, individual consent will be required. In circumstances where consent is required it must be given freely based on information that is specific and easy to understand. The guidance suggests that consent cannot be given ‘freely’ where there is an imbalance of power between the data controller and the data subject. This is unfortunate as it may well apply in an employment context (because an individual could suggest that they felt that they had no choice but to comply with a request from their employer). As a result, consent should perhaps only be relied upon as the lawful reason for processing data in limited circumstances and, in particular, where an employer can demonstrate that the individual genuinely has a free choice in the matter.
How do we approach the issue of individual consent?
If you do intend to seek individual consent to process data you must provide the individual in question with a ‘privacy notice’. This must include details about who will control the data, the purpose of the processing and how long the data will be retained. Consider carefully who will need to give individual consent (don’t be tempted to rely on ‘consent’ in existing employment contracts or data protection policies which may not be sufficient) and how and when you will seek that. Bear in mind that it may take some considerable time to prepare and circulate the relevant privacy notices and to collate responses.
Once given, can an individual withdraw consent under the General Data Protection Regulation?
Consent can be withdrawn by an individual under the GDPR where no lawful basis exists. Consider developing processes to ensure there is an accurate record of any specific consent given by an individual together with a straightforward way of allowing that individual to notify HR if consent is withdrawn as well as any request to delete and/or return data where appropriate.
You mentioned external HR support such as payroll providers. How do we deal with them?
The GDPR regime provides that, where a controller (HR in this context) uses a processor (a payroll provider for example) a written contract must be in place incorporating a series of compulsory terms. (Although the guidance suggests use of standard contractual terms none have yet been published by the Information Commissioner’s Office.) In short then, you need to find those contracts and prepare to re-negotiate them. Your external providers will very likely be expecting this. Bear in mind their own templates are likely to be in their own favour rather than yours so, if you tend to adopt their contracts, ensure you take advice on them.
Will the Data Subject Access Request (DSAR) system change?
Although the right to make a DSAR is a familiar one, the obligations will change:
- the timeframe for responding will reduce to 1 month (although an extension of a further 2 months is possible where requests are ‘complex or numerous’);
- information must be provided electronically where possible; and a fee won’t be payable unless requests are manifestly unfounded or excessive.
If you do not already have one, consider introducing a clear process for managing data subject access requests (DSAR).
Conclusion
The new changes heralded by the GDPR are intended to bring about a cultural shift in the way data is controlled and processed. Inevitably a balance is required between the rights and expectations of individuals and the needs of the business, but these new obligations undoubtedly change the way that an organisation engages with its workforce. Ultimately a wholesale review or data mapping exercise is a good first step in a comprehensive methodology to ensure GDPR readiness, but it is only when this work has been done that HR’s most pressing data protection priorities are likely to emerge. As a result, we’ll be publishing a series of guides in the run up to the EU General Data Protection Regulation coming into force.
STEP 2 – ENSURING YOU HAVE A LAWFUL BASIS FOR PROCESSING THE INFORMATION YOU HOLD
As stated above, the GDPR provides that data must be processed ‘lawfully, fairly and in a transparent manner’. It also provides that processing must be limited to what is ‘necessary’.
In step 1 (above) we suggested carrying out a data mapping exercise in order to ensure you understand the data you hold and how you interface with it. The next step in ensuring your HR team is GDPR ready is to make sure you understand and record any ‘lawful basis’ you have for processing each category of data. Given this you need to ensure that, as a starter for ten, you understand the various different lawful bases for that processing.
So, what is a lawful basis for processing data?
Although the terminology has changed this is not a new concept. The Data Protection Act currently in force provides that a data controller must meet one or more conditions for processing data. The ‘lawful bases’ set out in the GDPR are similar to these, but are geared towards transparency and accountability.
How many lawful bases are there under the General Data Protection Regulation?
Under GDPR there are six possible ‘lawful bases’ for processing data. You have the freedom to choose which one (or more) you adopt for any such processing. Of these six possible bases: contract, legal obligation, legitimate interests, consent, vital interest and public task, only the first four are likely to be relevant to data processed by the majority of you in HR. Let’s look at these categories in turn.
‘Contract’ and ‘Legal Obligation’
It is likely to be straightforward to identify when either ‘contract’ or ‘legal obligation’ applies particularly in an HR context given that much of your relationship with your workforce will be governed by one or the other:
- ‘Contract’ applies where ‘the processing (of data) is necessary for a contract you have with the individual or because they have asked you to take specific steps before entering into a contract’. Examples include processing an employee’s bank details and/or keeping a record of their working hours so they can be paid in accordance with a contract of employment.
- ‘Legal obligation’ applies where ‘the processing is necessary for you to comply with the law (not including contractual obligations’). Examples include keeping a record of night work to ensure compliance with the Working Time Regulations or the provision of information about employee earnings to HMRC. You should keep a record of the legal obligation that applies in each case. Guidance from the Information Commissioner’s Office (ICO) suggests this should be done ‘either by reference to the specific legal provision or by pointing to an appropriate source of advice or guidance that sets it out clearly’.
‘Legitimate interests’ and ‘Consent’
Where neither ‘Contract’ nor ‘Legal obligation’ apply then your likely legal bases are ‘Legitimate interests’ or ‘Consent’. These are more complex and could require you to undertake further work to ensure they are applied properly.
- ‘Legitimate interest’ applies where ‘the processing (of data) is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests’. The GDPR specifically states that controllers who are ‘part of a group of undertakings or institutions affiliated to a central body’ may have a legitimate interest in transmitting data for internal administrative purposes and that this includes processing of employee data. For example, this might include the transfer of data from a subsidiary company to a head office HR or payroll function. [IMPORTANT NOTE] Although this option looks like an attractive catch-all and one which avoids the need for individual consent, the ICO guidance suggests it should be used with care. This is because the organisation must make its own assessment about whether the data processing is properly balanced against the rights of the individual. The ICO guidance sets outs a three-part test called a ‘legitimate interests assessment’ (“LIA”) which it recommends organisations use if they intend to rely on this as their lawful basis for processing. This requires the organisation to think about (and record) what they are trying to achieve by processing the data, the impact of the processing on the individual, whether any data might be private or sensitive and to consider whether any individual might object if it was explained to them. More detailed guidance is expected from the ICO on this shortly.
- ‘Consent’ applies where: ‘the individual has given clear consent for the organisation or company to process their data for a specific purpose’. This must now be a positive choice on the part of an individual rather than a default position as is often the case where there is a data protection clause in a contract of employment. For example, this may involve asking individuals to tick an opt-in box online, to reply to an email or to sign and return a hard copy form.
Are there specific requirements for valid consent?
In brief, yes. individuals must be told the name of your organisation and the name of any third-party organisation who will rely on the consent, why you want the data, what you intend to do with it and about their right to withdraw consent. Organisations using consent as a ‘lawful basis’ will need to demonstrate it has been given freely. This is likely to be difficult given the imbalance of power between employer and employee so it should be used sparingly. The ICO will publish final draft guidance about consent in the coming weeks.
What are the other ‘lawful bases’?
The two other ‘lawful bases’ available are ‘vital interests,’ where processing is necessary to protect someone’s life (most likely to apply to emergency medical care where the individual is incapable of consent), and ‘public task’ where processing is necessary to perform tasks in the public interest such as the administration of justice. Neither of those is likely to be relevant to most HR teams.
What about ‘special category data’?
‘Special category data’ is that which reveals an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data about health or sex life and sexual orientation and the processing of genetic or biometric data.
For this type of data not only should you identify a lawful basis for your processing but you should also meet an ‘additional condition for processing’. The GDPR lists a number of additional conditions. In an HR context the most relevant are likely to be explicit consent (a more onerous obligation than regular consent) and ‘processing necessary for the purposes of occupational medicine and the assessment of the working capacity of an employee’. A specific condition also applies where processing is necessary to carry out obligations and exercise rights in the context of an individual’s employment.
Conclusion
The lawful basis you identify for each category of data you intend to process must be recorded along with the reason why you believe it applies. It is important to determine the right lawful basis from the outset. You are not able to retrospectively swap or change the lawful basis if it is later proved to be wrong. In practice, if one or more of the lawful basis might legitimately apply, then that should be recorded. You are not obliged to record the information in any particular way but it may make practical sense to incorporate it into your data mapping so that all of the information is in the same place.
Identifying the appropriate lawful basis for the different processing you undertake is not the end of the story. Even after that work has been done it needs to be regularly reviewed and appropriate records should be kept.
Our next article will examine how you inform individuals about your lawful basis for processing plus the practicalities of other individual rights under the GDPR including the withdrawal of consent and the ‘right to be forgotten’.
ACTION POINTS
What should we do now?
• Check that your data mapping exercise has captured all the information you and others hold about your workforce (before employment, during employment and after they leave). Separate it into categories.
• For each category of data you process, identify the most appropriate lawful basis under the GDPR and check it applies. Do the same for any additional condition relevant to special category data. Keep a record of your decision.
• If necessary check whether any other lawful basis might apply. Consider whether you might need to carry out an LIA for ‘legitimate interests’ purposes or prepare to seek individual consent. Don’t finalise anything until you have reviewed the forthcoming ICO guidance.
• If you already have individual consent for certain types of processing check whether that is likely to meet the new GDPR requirements. If not prepare to update/reissue those requests or adopt an alternative lawful basis.
STEP 3 – PREPARING PRIVACY NOTICES AND SYSTEMS FOR ENSURING COMPLIANCE WITH INDIVIDUAL RIGHTS
Having considered data mapping and the different types of ‘lawful basis’ for processing data, the next step in getting your HR function ready for GDPR compliance is to ensure that your team understand and are able to comply with a series of new and expanded rights afforded to individuals. For these purposes the key rights that you should ensure your team are alive to are:
- the right to be informed,
- the right of access,
- the right of erasure, and
- the right to withdraw consent.
We’ll consider these key data protection rights in turn below.
What is the ‘right to be informed’?
The Data Protection Act as it stands already provides for individuals to be told about the data you hold and what you intend to use it for in a ‘privacy notice’. Currently you may use a series of different privacy notices to process HR data and those might be issued separately or included with standard terms in a contract or a handbook.
Privacy notices under the GDPR will need to be more detailed than they are under the Data Protection Act. The Information Commissioner’s Office (ICO) has produced a separate code to help organisations with this task. There is no required form a privacy notice must take but, in brief, the ICO code is clear that it must be ‘concise, transparent, intelligible and easily accessible’ as well as ‘written in clear and plain language’.
Where data has been obtained directly from the individual, the privacy notice must include, for example, the identity and contact details of the data controller, details about the purpose and ‘lawful basis’ for the processing, who will receive the data, how long it will be retained for and any possible consequences if data is not provided (if ‘contract’ or ‘legal obligation’ are relevant – see above). Individuals must also be told what rights they have in respect of their data including, where relevant, their right to withdraw consent (see below). The code states that information can be delivered orally, in writing, through signage or electronically.
In practical terms before GDPR comes into force, HR teams will need to think about when and where they will use ‘privacy notices’ and ensure that the information provided to individuals meets the new requirements. Obvious points in the relationship for example are during recruitment (telling prospective employees what you will do with their application data for example) and when an employee starts work (seeking information from employees about bank details and next-of-kin for example). While there is nothing to say that privacy notices cannot feature in a contract or in a handbook you should understand that this won’t work on every occasion and for every purpose. For example, if you are relying on ‘consent’ as your lawful basis for processing the data, you must be able to demonstrate that the individual has positively opted in on a particular issue as opposed to simply providing them with a default clause or statement. Further ICO guidance is expected on privacy notices imminently.
What is the ‘right of access’?
The right of an individual to access the data you hold about them is not new to GDPR. Most HR teams will be familiar with the pain of dealing with data subject access requests, not least because employees often make them when litigation is on the horizon.
Under the new regulation, the basic entitlement remains the same, though there are a couple of key differences under the GDPR. The first is that the time for responding to a request for data is reduced from 40 days to a month though it should be noted that it will be possible to extend this deadline by a further two months where requests are ‘complex and numerous’.
The second change is that the data must be provided for free, although our experience is that most HR teams and most companies already do this. Note that under GDPR, if a request is ‘manifestly unfounded or excessive/repetitive,’ then it can be refused or, alternatively, a reasonable fee can be charged. The size of the fee must be based on the administrative cost of providing the information. However, the threshold for demonstrating that a fee should be paid is likely to be high and the fact that it takes a long time to collate and prepare a response is unlikely to be deemed sufficient by itself. In practice, where a response to a data protection request is likely to be time consuming and/or costly, a better option might be to try and limit the scope of the data perhaps by agreeing a timeframe/key word searches with the individual. If you do intend to refuse the request or to charge a fee you must explain this to the individual and inform them of their right to complain to the ICO.
It is important that your HR team and your line managers are able to recognise a data access request and that it is escalated to the appropriate part of the business so it can be dealt with quickly and appropriately. Note that there are several potential ‘exemptions’ available which can be used to limit or restrict the data to be supplied. Line managers should be encouraged to flag these requests instead of dealing with them in isolation to ensure that ‘manifestly unfounded’ requests are dealt with appropriately and any relevant exemptions are applied before the data is released.
What is the ‘right of erasure’?
In limited circumstances individuals can ask for data held about them to be erased. This has been referred to in the press as the ‘right to be forgotten.’ In particular, this right applies where it is no longer necessary for the organisation to hold the specific data, where the individual has withdrawn consent to process that data or where the data has been processed unlawfully. For example, this would apply where an individual has applied unsuccessfully for a vacant role and asks for their CV to be erased from your recruitment system. In these circumstances, a request to delete data must be processed within one month.
There are, however, some exemptions to the right of erasure. For example, the right to erase does not apply where the organisation must process the data to comply with a legal obligation or where the data is required for the exercise or defence of legal claims. You can refuse requests that are ‘manifestly unfounded or excessive’ provided you inform the individual that you do not intend to comply and, again, tell them they can complain to the ICO. Alternatively, as with an access request, you can charge a reasonable fee based on the administrative cost of complying with the request.
The greatest difficulty with this right in practice is likely to be that there is no set form for making the request. It can be made verbally or in writing to anyone in the organisation. It does not need to make any specific reference to ‘erasure’ or to any legislation. It will be important to ensure that HR and line managers are aware of this right and that someone in the organisation is nominated to consider and record requests (or potential requests) to ensure they are neither missed nor simply ignored.
What is the ‘right to withdraw consent’?
The ICO has yet to publish its final guidance on consent but it has recently published guidance prepared by the ‘GDPR working party’ (a group of representatives from data protection authorities from each EU state). We mentioned earlier that it might be difficult to use ‘consent’ as a lawful basis for processing data in the employer/employee relationship due to the imbalance of power and the new guidance from this working party takes it a step further. The guidance suggests employees will only be able to give consent in ‘exceptional circumstances when it will have not adverse consequences at all whether or not they give consent’. In the circumstances it may make sense for any request for consent to make this point clear.
If you do decide to use ‘consent’ as your lawful basis for processing any particular set of data then you will need to tell employees about their right to withdraw that consent and how they can do so. A failure to state this or to facilitate a means of withdrawal will render the consent invalid.
Employees should be able to withdraw consent without suffering any detriment or adverse consequence and, although giving and withdrawing consent does not necessarily have to be facilitated in the same way, withdrawal should not be more difficult. The guidance suggests that, where consent is obtained through any ‘service-specific user interface’ such as a website or an app, it should also be possible to withdraw consent using the same means. It would be unlikely to be considered appropriate, for example, for people to give consent to the processing of data online, yet be required to make a telephone call to withdraw it.
In the circumstances it is important to ensure that any HR system in place allows you to demonstrate how consent was sought, that you have an up to date record of the consent and that any requests to withdraw it have been acknowledged and actioned.
Are there any other individual rights not yet mentioned?
Other rights provided for under the GDPR include: a right to rectification (where data is inaccurate); a right to restrict processing (as an alternative to erasure), a right to data portability (moving and reusing data), a right to object (relevant to processing for ‘legitimate interests’ and to direct marketing), and rights related to automated decision making (where decisions are wholly or partly made without human involvement).
ACTION POINTS
So, in addition to what has been set out in previous blogs, what should be done now?
• Ensure that your team understand the various rights individuals will have under GDPR. Provide training as necessary
• Identify the ‘privacy notices’ or other communications about data that are sent by HR. Check whether they meet the new requirements and amend them if necessary. Wait for the ICO guidance before you finalise them
• (To the extent possible) plan where privacy notices will be provided in the employment cycle
• Consider how any request for consent could make it expressly clear that there will be no adverse consequences either if the employee refuses to give consent at the outset or if they later choose to withdraw it
• Ensure that HR and line managers have received training on the different individual rights including the right of access and how to identify and record a potential request to erase data.
• Put a robust system into place to manage employee consent and withdrawal. Ensure appropriate records are retained to demonstrate compliance.
Conclusion
Not all of the rights granted to individuals are new, but organisations are being held to a higher standard under the GDPR. With just a month to go until these new obligations come into force it is important for HR to ensure that systems have been introduced or adapted to manage these rights and that line managers know and understand the changes.
This article contains general information in respect of GDPR only and should not be construed as legal or other professional advice or otherwise relied upon. Users should seek legal advice from a qualified lawyer about a particular issue or problem before taking (or not taking) any particular course of action