What will the General Data Protection Regulation mean for HR leaders?

The new, tougher data protection regime, the General Data Protection Regulation (GDPR), will come into effect on 25 May 2018.   Why should the GDPR land in HR’s in-tray - surely data protection is the domain of Information Systems as the technical experts who monitor your systems?  GDPR is based on the principle of accountability and the new rules implement changes which will directly impact on the every day work of HR practitioners.  As HR leaders you will want to ensure your data management is compliant.  Poor data security leading to public exposure of sensitive personal information, could result in a hefty fine (potentially, up to €20m or 4% of annual global turnover, whichever is higher) and reputational damage with wide-ranging implications.  

Your University will certainly have an action plan to prepare for GDPR.  HR’s concerns relating to employee data may be very different to departments managing the University’s interface with students and the wider community.

This article highlights some important changes that should be on your HR team’s radar.  We start with a quick reminder of Data Protection terminology and conclude with actions HR leaders can consider as part of your preparations, and include a handy Action List which should help to guide you through the process:

DPA Refresher

There are three key terms in Data Protection: data subjects, data controllers, and data processors. For example, a University is a data controller with respect to the students or employees about whom it has personal information. The students and employees are the data subjects in this context: natural persons whose personal data is being processed by the data controller. An example of a data processor would be a third party to whom payroll operations are outsourced by the University employer in its capacity as a data controller.)

Will you rely on consent or legal justification?

The GDPR will set a higher standard for consent to process personal data.  It will require consent to be ‘freely given, specific, informed, and clearly indicated by a statement of affirmative action’. The new definition includes a requirement that consent is “unambiguous”. If consent is given through a written declaration it must be clearly distinguishable from other matters and easy to understand. This is a more dynamic approach to consent. It becomes organic, ongoing, and requiring active management not simply a one-off tick box approach.

This means that the standard ‘consent to process data’ clause that features in most employment contracts is unlikely to be sufficient after the GDPR comes into force. Also take care if you rely on pre-ticked boxes or other similar ‘opt-out’ approaches to obtaining consent. For consent to be a lawful reason for data processing under the GDPR, the individual must make an informed choice and ‘opt-in’. Actions 1-4.

However, importantly, according to guidance from the Information Commissioner’s Office (ICO), it will be particularly difficult under the GDPR for employers to rely on consent as the basis for processing. This is because there is an imbalance of power in the relationship between the individual and the organisation that controls the data, so consent will not be ‘freely given’.  Action 5.

For example, you could argue that it is necessary to process the data to fulfil your obligations under the employment contract. In reality this may be closer to the true situation, as most employers would need to continue processing employee data to some extent even if the employee had not given consent. It is better to choose the lawful basis that best reflects the purpose of the processing rather than relying on “consent” a default across all instances of processing; e.g. payroll would be a legal justification because it is required under the contract; occupational health referral will require consent.  Action 6.

Crucially, you will need to provide employees and applicants with a statement explaining the reason on which you have chosen to rely and exactly why you think it applies.

New data rights for employees

The GDPR extends the rights of the ‘data subject’ (the individual whose data is being processed), enhancing the entitlement to have data corrected and to object or restrict data processing. These rights are not often raised in an employment context.

However, a new ‘right to be forgotten’ rule may be problematic as employees may query why you need to hold ‘historic’ information about them and put pressure on you to delete it. Tensions will inevitably arise between the need to retain thorough employment records and information (for example regarding previous disciplinary issues and working arrangements) and good data protection practice.  Action 7.

Aggrieved employee? (Data subject access rights)

Employees and ex-employees can use GDPR rights ask to see the information you hold about them and to be informed.  The difference to the right under the existing rules is the current compliance period of 40 days will be replaced with an obligation to comply ‘without undue delay’ and within one month.  Be aware that an extension of two additional months is available if necessary where the request is complex. The collection of data in an employment context can be particularly challenging, as information is often unstructured and spread across different systems. It may be that the normal period of compliance will by default be stretched to three months in an employment context.  The £10 fee applicable to requests under the Data Protection Act 1998 will be abolished. However, where a request is ‘manifestly unfounded or excessive’ you are entitled to charge a ‘reasonable fee’ to take into account administrative costs.   Actions 8-11.

Lost Laptop? (Reporting a data breach)

Under the new rules, employers will be required to report a ‘personal data breach’ to the Information Commissioner promptly, and within 72 hours if feasible. If this timeframe is missed you must provide a ‘reasoned justification’ for the delay. There is no requirement to notify if the breach is unlikely to result in a risk to data subjects, e.g. where a lost laptop holds only encrypted data.

The term ‘personal data breach’ covers all kinds of commonly occurring workplace mistakes such as a laptop or file left on a train or an e-mail sent to an incorrect address. It’s important to remind employees that even apparently minor incidents must be reported internally if data has been lost or compromised.  Actions 12,13.

Risk and cost of getting it wrong (Tougher Enforcement)

A tougher penalty regime supports the GDPR and ramps up the risk associated with a data breach. The maximum penalty for non-compliance will be increased to 20 million euros or 4% of worldwide turnover if greater. This is a big step up from the current maximum penalty of £500,000 in the UK. Although this may not necessarily mean higher penalties in practice for most data breaches (as the severity of the breach and any action taken to correct it will always be taken into account) these increased sanctions will undoubtedly lead to a much sharper focus on compliance.

Is there any good news for HR?

It is important to remember and to communicate to employees, that the tougher data protection rules are a ‘two way street’. To protect your organisation against the greater sanctions of the new regime you will certainly be entitled to ‘toughen up’ how you deal with data breaches perpetrated by your staff.   Actions 14,15.

What can you do now? 

Actions 16-22.

Actions to consider:

1. Create a separate form to obtain consent to data processing

2. Obtain specific consent for specific purposes (for example if you need to use an employee’s data to refer them to occupational health)

3. Maintain detailed records to demonstrate when and how consent has been provided

4. Outline a mechanism for employees to withdraw their consent, which they will have the right to do at any time

5. Consider whether it might be easier and more transparent to use an alternative legal justification for processing data.

6. Consider if you have a genuine and legitimate reason for processing the data.

7. Consider the adequacy of your HR system in terms of data cleansing and compliance with the University data retention policies.

8. Consider how your processes can be streamlined to respond quickly and efficiently and within one month.

9. Consider how you will justify an extension to three months in complex requests.

10. Consider how you will provide additional information to employees requesting access to their data. This includes the envisaged period of storage and information about the data subject’s rights (explained above). 

11. Consider how you will demonstrate a request is ‘manifestly unfounded or excessive’ and you are entitled to charge a ‘reasonable fee’ to take into account administrative costs.

12. Have a clear policy on how to handle a breach within the time limit naming a designated point of contact with responsibility to report to the Information Commissioner.

13. Consider record keeping as records must be kept of all data breaches and any action taken, even where the obligation to notify the regulator is not triggered. Importantly, if there is a high risk to the data subject (for example the clients or customers named in the lost file) they must also be told.

14. Consider an employee communication around GDPR and the changes you intend to bring in.

15. Consider the Disciplinary Policy and Information Management Policy as you may be justified in taking a harder line in disciplinary action against employees who misuse confidential information about third parties or remove it from your secure systems. 

16. Identify your existing data systems and what personal data you process;

17. Identify the steps you need to take to be ready for GDPR next year;

18. Identify and appoint a data protection officer (if you do not have one already);

19. Review your current documentation relating to data protection and consents including contracts, handbooks and policies;

20. Identify any “legitimate interests” which you have for processing data;

21. Establish a data breach policy and a data retention and storage policy (which includes emails);

22. Train HR staff in GDPR requirements.


Mark Leach is Partner and Susan Matthews is Associate in the Employment, Pensions and Immigration team at national law firm Weightmans LLP. Please contact  mark.leach@weightmans.com or susan.matthews@weightmans.com to discuss any of the issues above.