An employer's guide to GDPR

Ross Hutchison

People

What has GDPR meant for employers? We offer guidance for employers on the key issues.

When it was enacted on 25 May 2018, the General Data Protection Regulation introduced a number of stringent requirements for all companies that deal with EU citizens, in particular employers, who had to ensure that they met the requirements of GDPR when processing employee data.

So what has GDPR meant for employers? Below we offer guidance for employers on the key issues.

Contents

Data audits

If you have not already done so, it is vital that you perform a data audit. This is the aspect which will require the most from you as employers. However, once done, it will feed into the majority of the other tasks required to be undertaken to ensure compliance.

In short, all employers should conduct a review of all the personal data/special categories of personal data (sensitive personal data by another name) which you hold/process and look at:

  1. Why you have it
  2. Whether you need it
  3. What you do with that data
  4. The type of data it is
  5. Whether there is a lawful processing basis for retaining it under GDPR
  6. How long you need to keep it
  7. What measures you have in place for keeping it secure

Under GDPR you are only to process and/or retain personal data if you have a specified lawful basis to do so. This will usually be one of the following reasons:

If you do not have a lawful basis, you should not retain it. If you had a lawful basis but that has expired (i.e. you no longer need it), then there are limited circumstances in which you should retain it.

Employee data audits

By conducting the audit, you will be able to identify not only the data you do not need but, more importantly, what you do need. You are then able to look for a lawful basis upon which you can say it continues to be processed and ensure that it is retained securely.

This process will also help you identify any problem areas and may help you to rectify problems with security, retention or processing. We are happy to advise on any potential problem-areas identified.

Should any data breaches occur in the future or should you be subject to scrutiny from the Information Commissioner in relation to compliance, this exercise will be a key cornerstone to you being able to demonstrate to the ICO that you have taken positive steps to comply with the GDPR and to show that you were aware of what you needed to do, and took steps to avert risk-areas.

If you have not already done so, it is vital that you address the above questions as soon as possible.

Data protection basics

It is important that employers remember that GDPR is more evolution than revolution in data compliance. Many of the basics are the same as they were under former data protection legislation. In particular:

Data protection principles

  1. Personal Data — effectively the same as former data protection legislation.
  2. Sensitive personal Data — now called “special categories of personal data” but effectively the same as former data protection legislation.
  3. Data retention periods — employers' obligations have remained effectively the same as former data protection legislation.
  4. Data security — again, effectively the same as former data protection legislation.

There are also some very important changes that apply under GDPR. Importantly though employers need to recognise that GDPR has brought a heightened awareness of data protection rights, has added significantly to powers of the Information Commissioner’s Office to award financial penalties and has increased the potential for employers to face more litigation from employees who believe that their personal data is being mishandled.

Getting the basics right is crucial; be clear what personal data you are collecting and why; tell your employees what you are doing and why; be satisfied that you are entitled to collect that data; treat it with respect — don’t disclose it to third parties unless you need to, keep it secure and don’t keep it longer than you need to. All employers should already be taking these basic compliance steps.

Privacy notices

Under GDPR you are required to inform data subjects of what you will do with their data upon receipt or within a month of receipt. You do this through Privacy Notices and there are specific issues that you must address.

Receipt of personal data can occur at any time but our advice to employers is to make sure that you have systems in place to ensure that Privacy Notices (or at least links to them) are sent to data subjects at the times you normally receive personal data. The main two situations for employers are:

  1. Applicants for employment/engagement; and
  2. New starting employees.

Applicants will usually complete an application form and provide a CV, both of which are likely to include personal data such as names, addresses, telephone numbers and nationality.

New starters will have to provide you with the same data above as well as other information such as bank account details, National Insurance numbers, Right to Work documentation and often medical information establishing fitness to work.

Both these situations will need Privacy Notices setting out issues such as:

The audit referred to above will assist in the compilation of these notices.

Consent

There has been a lot of misinformation produced about the use of consent as a legal basis for employers to process personal data under GDPR.

The important points to note however are:

  1. Consent remains a legal basis upon which to process personal data, but
  2. GDPR puts limitations on its use.

GDPR has numerous options available to employers for establishing a legal basis to process the data they have which do not rely on consent and we would suggest a good starting point is to avoid using consent wherever possible (as long as another lawful processing basis can be found).

For example, under the Data Protection Act, employers commonly relied upon consent for the processing of medical data.

Under GDPR however, there is an express legal basis for processing such sensitive personal data for the purpose of considering fitness for work. Consent is not required.

That said, if consent is to be used it will need to be:

The data subject will also need to be informed of their right to withdraw consent at any time.

Data breaches

GDPR imposed obligations that require employers to both record and report data breaches.

Reporting

Following the introduction of GDPR, if a personal data breach occurs, which is a high risk to the rights and freedoms of individuals (for example where the personal data is exposed to be potentially accessed by others), an employer must, without undue delay and not later than 72 hours after having become aware of it, notify the ICO.

Reporting is only required when a data breach is a high risk. Where this is the case, the following needs to be set out to the ICO:

The employer will also need to inform the individuals affected by the breach and the last three of the bullet points above (unless limited exceptions apply).

Reporting a data breach

Recording

Whilst non-high-risk breaches do not require reporting to the ICO, they will require recording (along with the high-risk ones). The record should also set out the steps taken to mitigate the risk of such breaches occurring again. That log should be stored securely should the ICO wish to inspect it.

To comply with the reporting and recording requirements above, employee education on these issues is key.

For more information, see our article on what to do if a data breach occurs.

Employment contract clauses

Under the GDPR, consent is supposed to be freely given, informed, unambiguous and unbundled from other terms and conditions.

The Information Commissioner’s guidance tells us that:

“Freely given consent will … be very difficult to obtain in the context of a relationship where there is an imbalance of power — particularly for … employers.”

That means one perfectly sensible approach is to decide that such provisions are no longer of any value post-GDPR and to just remove them from the employment contract altogether. It would be good practice to still include something which requires your new employee to adhere to data protection principles or your policy, but as consent in such a document is of such limited value it could be removed.

If consent is to be obtained for any particular piece of processing (such as obtaining an occupational health report or using their photo for marketing purposes), then consent can be freely obtained at that time separately (without their having a risk of adverse sanction) and addressed specifically to the thing you want them to agree to.

However, there is an alternative view that says that there is no downside to including a provision in the contract which addresses data protection and obtains consent to the (possibly limited extent) that you are able to do so.

Such a clause could:

Only time will tell whether such provisions become the norm or whether these clauses will disappear altogether, but for now, you are likely to need to at least slightly vary your contractual provisions if you decide not to remove them altogether.

Don’t forget that your new recruit should also be given a privacy notice, as we explored above.

HR record retention

The Information Commissioner says that, under GDPR, organisations (as data controllers) need to document retention schedules for the different categories of personal data. The ICO says that this may be set by internal policies or based on industry guidelines. So under GDPR, you need to have a written statement saying how long you will keep different types of employee data.

So how long is that? Remember that processing data includes simply storing it, so if you don’t have a lawful reason for keeping it, you shouldn’t do so. The plans you have in place to demonstrate GDPR compliance should spell out not just how long you are keeping things for, but why.

Whilst you do need to have a valid lawful reason for retaining documents, overly optimistic statements on data retention/destruction may also cause you problems.

We know that the Information Commissioner is unimpressed if organisations do not adhere to what they say about documentation retention, so when setting out what you will do, be realistic and record what will actually happen.

Whilst we have heard of GDPR 'experts' recommending the wholesale destruction of most employee records; we would recommend being more cautious.

Documentation is so important when it comes to defending an employment claim, we would always say it is better to keep records for as long as you can, where you may need to do so. This risk will, in most cases, be a legitimate reason to retain records and the limitation periods for claims provides a sensible basis/rationale for record retention.

An employee can bring a claim for breach of contract at any time up to six years after their employment has ceased. Accordingly, the period of six years from the end of employment provides a sensible starting point for record retention.

Employee record retention

However, strictly speaking, you do need to keep the records a little longer as you will not necessarily be notified of a claim until after the six years has expired.

Similarly, the period for which most employee records need to be retained for tax purposes is six years from the end of the relevant tax year, so some variation on six or seven years may be a sensible period — with the period over six years allowing for the possibility of a claim or the end of the tax year.

Retention periods do however need a little bit more consideration for employee records and one size does not fit all. Some other periods to consider are:

When determining and recording how long to keep things it is also worth being sensible about how destruction will occur. For those with slick computerised systems, specific destruction periods may be workable, but for those of you taking on the job of destroying physical files, it will be worth recording in your policy that destruction will be undertaken periodically (and possibly defining roughly when that will occur).

What is also important with record retention is the security applied. Whilst advising on GDPR implementation, we have been told some concerning stories about managers with box files open to anyone which contain all sorts of staff personal data and documents. The records you keep must be retained securely and, ideally, centrally.

The Information Commissioner will look to all employers to have a policy detailing the periods of retention of employee records/data, but they will be far more concerned about what you have in place if an ex-employee's personal data is accessed and disseminated by one of your staff who did not have a legitimate reason to access it.

Pension schemes

GDPR applies to pension schemes too. The practical implications of GDPR depend largely on the type of pension scheme that you offer for your workers.

If you offer a contract based scheme (such as a group personal pension), the onus of GDPR for the scheme will fall largely on the provider. The same is true if you participate in one of the commercial master trust schemes used by many employers to comply with their automatic enrolment obligations.

If you have your own trust-based occupational pension scheme, however, there is more work to do. The legal responsibility falls primarily on the scheme trustees.

Key GDPR related action points for scheme trustees include:

  1. Issue GDPR compliant privacy notices to members. Alternatively, some trustees may prefer to review and update existing notices.
  2. Review and update other scheme documents such as membership forms and death benefit nomination forms.
  3. Contact external administrators and other service providers to check what scheme data they hold and the compliance measures they are taking.
  4. Identify the categories of data held and the legal grounds for processing it. So far as possible, pension schemes will want to rely on grounds other than consent.
  5. Review and update contracts with service providers to ensure they contain suitable GDPR provisions.
  6. Put in place a policy for identifying and reporting any breaches to the ICO.
  7. Prepare a GDPR policy to document processes and to help demonstrate compliance.

As an employer, you have an interest in ensuring that your scheme is GDPR compliant. Compliance breaches may reflect administrative weaknesses in the scheme. They may also damage their reputation in the workplace. Under most schemes, the costs associated with non-compliance (including potential fines) may ultimately be borne by the employer.

Scheme trustees and employers should discuss GDPR and cyber security issues. Working together, especially in matters such as IT support, will help to minimise overall costs.

You may already have made a substantial investment in ensuring that your business is GDPR compliant. If you have not already done so, ask the trustees of your pension scheme to confirm they are GDPR compliant.

Subject Access Requests

Whilst Subject Access Requests (SARs) are not new, GDPR has brought in some changes. Below is a selection of some of the changes and a few things to remember when dealing with them.

Overall, we believe there will likely be an increase in SARs going forward (largely due to the fee issue referred to below) but it is difficult to predict how much at this stage.

Things to remember:

Medical records and consent

Health information is “special category data” under the GDPR and the employer needs to show a lawful basis for processing it.

Under the Data Protection Act, employers typically relied on consent to process medical information about their employees. Whilst explicit consent is a lawful basis for processing medical records and reports under the GDPR it is generally not appropriate to rely on consent in the employment context. So if consent is not an option, what is?

The most likely lawful reason in this context is that the processing is necessary for the performance of rights and obligations in connection with employment, for example:

Where an employee genuinely volunteers health information it may be appropriate to rely on consent but employers must bear in mind that consent can be withdrawn and if it is and there is no other legal basis to process the data, it should not be retained.

You also need to bear in mind that under the Access to Medical Records Act, consent will still be required to obtain a medical report about an employee. One-off reports from Occupational Health providers, company doctors and specialists may not strictly be covered by the Access to Medical Records Act but it is usual nonetheless to seek specific consent from the employee.

If the employee has not already been given a Privacy Notice this should be done prior to the data being obtained and it is advisable to provide employees with a specific privacy notice for the medical records.

Our experts in GDPR in health and social care can assist you if you are in any doubt.

Disciplinary and grievance records

The Information Commissioner says that, under GDPR, organisations (as data controllers) need to document retention schedules for the different categories of personal data.

Information concerning disciplinary and grievance issues is no different to other types of data that you may retain about your employees but you do need to give special consideration to how long you will retain the data and what you will use it for and ensure that it is destroyed in accordance with the schedule you have set.

Remember that within disciplinary and grievance matters there will be a wide range of data collected including:

You must ensure that the data is only used for the purposes you have told the employees it is being processed for. Your privacy notice should set this out.

We know that many employers struggle with how long (if at all) to retain expired warnings on file. It is often useful to retain details of expired warnings for a period of time as there are limited circumstances where a spent warning may be taken into account in future disciplinary matters.

The Information Commissioner suggests that employers have a clear procedure for how expired disciplinary sanctions are dealt with.

If your policies or letter confirming the warning say that spent warnings will be destroyed or removed from the personnel file, it is important that you do so. However, ideally your policies, privacy notice and letters should refer to warnings being spent but without detailing that the warnings will always disappear, which enables you to retain spent warnings in case they are relevant without breaching what you have said.

As with many data issues, it is sensible to have appropriate limits upon who can access such information.

When employment is terminated, you should keep an accurate record of the reason for dismissal and this should mirror what the employee was told. This may be relevant if the employee brings a claim or requests a reference in the future.

As a minimum disciplinary and grievance records should be kept for at least six months following termination of employment to ensure that you have all the relevant paperwork in the event a claim is brought against the organisation. However, there is certainly justification for retaining the records for longer given employees have up to six years to bring a breach of contract claim.

What is absolutely critical is to ensure that you have a policy and implement it. We know that the Information Commissioner is unimpressed by organisations that do not do what they say they are going to do. Therefore, however long you decide to retain the records, you need to ensure that destruction within that period is realistic for your organisation.

As with all employee data, security is of paramount importance. Once a disciplinary or grievance matter has been concluded it is important that the manager dealing with the issue returns or destroys their copy of the paperwork and a single central record is retained to avoid anyone being able to access it who has no legitimate reason to do so.

Financial penalties

Under the General Data Protection Regulation, the Regulator can penalise organisations for breaching the GDPR.

So how can you avoid being subject to a fine?

As the potential fines are substantial, it is good practice to ensure you are compliant with the Regulation and don’t get caught out.

If however, you are found to be in breach of the GDPR, then the Regulator can apply one of two levels of fines against you, namely:

  1. The first is up to €10 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher; or
  2. The second of up to €20 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher. It is important to note that these figures are the maximum figures. Infringements that could warrant a higher level fine, include, but are not limited to:

It is worthy of note that fines for infringements will be considered on a case-by-case basis. Before deciding to impose a fine on you for a potential breach, certain elements will be taken into consideration, for example:

The value of the fine to be imposed is however not clear-cut. Your behaviour will be taken into account when determining the value of the fine. You may have the opportunity to influence the reduction of any fines by, for example, by promoting a culture of data protection and being able to show the steps you have taken to comply.

One final point to consider separate from these fines and penalties, you should be aware that individuals have the right to claim compensation for any damage they believe has been suffered as a result of breaching the GDPR.

Ross is a Principal Associate in the employment, pensions and immigration team.