With just 100 days to go until the General Data Protection Regulation (GDPR) comes into force, many employers are still grappling with the requirements of the new regime. What steps should employers be taking to ensure they are ready for 25 May 2018?
What should employers be considering?
The GDPR will bring with it some important changes to data protection law. The GDPR will be supplemented in UK law by the in-draft Data Protection Bill, which is passing through Parliament at present. Organisations need to plan for the implementation of the GDPR and the Data Protection Bill. We have highlighted 12 key steps which employers should be taking now:
1. Lawful basis for processing
Consider the current lawful basis relied on for processing employee data and whether this can still be relied upon under the GDPR. Most employers currently rely on employees giving consent to the processing of the data in an employment context by including a clause to that effect in their employment contract. However consent in this context is unlikely to be lawful under the GDPR and therefore employers will need to consider an alternative basis for processing employee data. Employees must be informed of the employer's change in approach to processing their personal data before 25 May.
2. Privacy notices
Employers will also be required to inform employees of what data they collect, what lawful basis they rely on for doing so, what the data will be used for, how it will be stored, who will have access to it and for how long it will be kept. All of this information must be set out in a privacy notice. Employers should therefore be preparing appropriate privacy notices for their employees, together with their job applicants, consultants and ex-employees. Employers should carry out an audit process now to properly understand and collate the information they need to communicate meaningful privacy notices.
3. Legitimate interests assessment
Where an employer seeks to rely on its legitimate interests as a lawful basis for processing of employee data, it will first need to carry out a legitimate interests assessment to ensure that it has balanced the legitimate interests with the privacy rights and freedoms of the employee and that any processing to be carried out is proportionate in the circumstances. Employers should be completing such assessments now, and including details in their privacy notices, ready for May.
4. Updating policies and procedures
The changes under the GDPR and the Data Protection Bill will need to be reflected in an organisation's policies and procedures, most notably any Data Protection policy, IT security policies, disciplinary and grievance procedures and data retention policies. Employers should therefore ensure that such documents are updated in readiness for May.
5. Data cleansing
Given that one of the principles under the GDPR is data minimisation, now is a good time for employers to be undertaking a data cleansing exercise, deleting data which is no longer required, such as duplicate copy disciplinary notes or old CVs kept in a manager's drawer 'just in case'. Employers should introduce measures to ensure that employees' details are kept up-to-date and accurate.
6. Review recruitment processes
Employers who carry out blanket criminal records checks as part of their recruitment process will need to review such procedures as currently it appears that such checks will not be permissible under the GDPR other than in relation to specific regulated activities.
7. Get ready for DPIAs
Any organisations looking to introduce new systems or processes which are likely to be a high risk to the privacy rights of individuals will need to carry out a Data Protection Impact Assessment prior to doing so once the GDPR comes into force. For example, this could apply to employers looking to introduce a new vehicle tracking system, random drug testing or CCTV surveillance. Employers should therefore make sure that they have appropriate forms / guidance notes in place now to support such assessments.
8. Third party providers
Where an employer outsources certain functions to a third party provider, such as a payroll provider, then it will be important to review the contractual arrangements in place with those providers. Under GDPR there are certain clauses which have to be included in the contracts and there are also certain provisions, such as indemnities and warranties to cover a data breach by the third party, which are advisable to cover in the contract.
9. Data subject access
Data subject rights under the GDPR are enhanced, most notably in relation to data subject access requests. Employers should therefore update their systems and policies to take account of these changes. It is also advisable to have a specific data subject access policy to help employees understand what data subject access requests are and how they will be dealt with by the organisation. It will also be important to consider whether current systems are sufficient to readily identify, locate and supply employee's data in order to enable an organisation to respond to a data subject access request. If not, now is the time to update these systems.
Reviewing current security measures will also be important, in particular considering who has access to employee data especially health information which is classed as special categories of data under the GDPR. Organisations should ask themselves whether access to this information should be limited, what information should be locked away and what practices should be in place to encrypt and/or password protect information.
The new regime will require every person within an organisation to understand and comply with data protection obligations. It is therefore essential that employers put in place appropriate training programmes for managers and staff which should be completed prior to May.
12. Record keeping
Finally, under the GDPR there is a new accountability principle, which means that organisations must be able to demonstrate compliance with the new regime. Employers will therefore need to ensure that they have appropriate record keeping processes in place.
Shoosmiths' GDPR DRIVE
In order to help your organisation assess the extent to which it processes personal data in accordance with the current Data Protection Act 1998 and the GDPR we can carry out a detailed audit for you, providing you with a report and working with you in order to agree a tailored service that identifies key risk areas for your organisation and which arms you with the information you need to address any key non-compliance issues so you are ready for 25 May 2018. It will also mean you can optimise your data collection and use to make the most of the data and drive business benefits.
For any further information please speak to your usual Shoosmiths contact or visit www.shoosmiths.co.uk/data - We can help you with that.
This document is for informational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given.