In a nutshell
In recent years there has been a huge change in how data is stored, handled and moved. This includes the growth of the internet, use of email and the ability to download and store information on mobile phones and other hand-held devices.
The main legislation governing data protection in the UK is the Data Protection Act (DPA) 2018 which came into force in May 2018. This coincided with the introduction of the European General Data Protection Regulations (GDPR). The GDPR is a framework governing organisations who hold data on EU citizens and must be read and understood together with the DPA. These regulations mean that as an employer you have certain obligations to fulfil with regards to the data you hold on your employees.
There are similarities between the DPA and the GDPR, however, under the GDPR there are additional and different requirements and the need for companies to show compliance is paramount. The GDPR has six principles, outlining that personal data must:
- be processed lawfully, fairly and in a transparent manner
- be collected for specific, explicit and legitimate purposes and not processed in a manner that is incompatible with those purposes
- be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- be accurate and, where necessary, kept up-to-date. Every reasonable step should be taken to ensure that inaccurate personal data is erased or rectified without delay
- be kept in a form which permits identification of data subjects for no longer than in necessary for the purposes for which the data is processed
- be processed in a manner that ensures appropriate security of data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisation measures
Under GDPR, companies must also consider use of data by their suppliers and contractors.
What are the risks?
Fines for not complying with the GDPR regulations have increased significantly with two levels:
- Up to 10 million euros or 2% of the company's global annual turnover of the previous financial year, whichever is higher.
- Up to 20 million euros or 4% of the company's global annual turnover of the previous financial year, whichever is higher.
Given the steep fines it's vital to ensure you are complying with the regulations with regards to the data you hold on your employees.
Key steps to managing this issue
Whilst the GDPR deals with the holding of data on anyone, we are going to focus on your requirements with regards to holding data about your employees.
1. Be aware of the key terms and what the legislation means for employers
Your first step towards compliance is to be aware of the key terms used in this area and to understand what is required of you as an employer.
- Data Controller: The controller says how and why personal data is processed. The controller will be the company.
- Data Processor: The processor acts on the controller's behalf. The processor could be a contractor.
- Data Subject: An individual to whom the personal data relates. For example: an employee, previous employee, a client or a customer.
- Personal Data: Data held on an individual on either an IT system or within a manual system. For example, name, address, email address or National Insurance number (NI).
- Special Category Data (previously Sensitive Personal Data): Data concerning health, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (eg finger-print recognition), sex or sexual orientation. The inclusion of biometric and genetic data is new under the GDPR. Information about criminal convictions was included under the DPA but this is now treated separately and subject to tighter controls.
- Consent: Affirmative action is required. Silence, pre-ticked boxes, inactivity or a general term in a contract no longer confirms consent. A record must be kept on consent, and how and when it was given. Under the GDPR, a review of consent mechanisms must be carried out to ensure that standards are met. Where the standard is not met, an alternative legal basis should be found or processing should cease or not commence.
Who does the GDPR apply to?
The Data Controller: A company will be the controller and has to demonstrate compliance with the GDPR.
The controller is obliged to ensure that where the data processor is acting on their behalf, that the processor acts lawfully and the controller must have contracts in place with the processor that comply with the GDPR. For example, where a recruitment agency has been instructed to interview a candidate prior to them being sent to the company for interview. In this instance there should be a robust contract between the company and the recruitment agency with regard to the holding and storing of that piece of data (eg the interview notes as these may include personal data).
The controller will need the subject's explicit consent to collect, store and process data. For example, it is no longer the case that a clause within the employment contract will suffice – explicit consent must be given.
The controller must have privacy notices for the subjects that they are holding data on. The content of the privacy notices will vary depending on the type of subjects. For example, the privacy notice for a job applicant is different to an employee.
The Data Processor: This may include contractors, recruitment agencies, head-hunters who may only process personal data if they have documented instructions from the controller. The processor must ensure data security and is obliged to demonstrate compliance to the controller and permit inspection and audit.
The Data Subject: This may include current and past staff; clients; customers; guests; and those on mailing lists. This list is not exhaustive.
What information does the GDPR apply to?
It applies to all personal and sensitive data.
Personal Data: The GDPR's definition is more detailed than the DPA. Under the GDPR, it is clear that information such as an online identifier, for example, an IP address (a numerical label assigned to each device connected to a computer network that uses the internet protocol for communication) counts as personal data. This inclusion reflects the change in technology and the way organisations collect information about people. This may, for example, include the shortlisting record where applicants' names are removed and an applicant code is assigned to each applicant. Personal data is included that is given a pseudonym (for example, key-coded).
Special Category Data: The GDPR categories are similar to the DPA. The minor change is that there are now 'special categories of personal data' for example biometric data (see below).
2. Plan your compliance
You need to establish the legal basis for holding data. This is important as the legal processing has an effect on an individual's rights. For example, if you need consent from the individual, this gives them a right, for example, to erasure (see below).
This will also determine whether you need consent or to issue a privacy notice. At least one of the six lawful bases for processing must be met. They are (as outlined in the ICO guidance):
- "Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
- Contract: where processing occurs, you need a contract with the individual, or because they have asked you to take specific steps before entering into a contract.
- Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
- Vital interests: the processing is necessary to protect someone's life.
- Public task: the processing is necessary for you to perform as task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Legitimate interests: the processing in necessary for your legitimate interests or the legitimate interests of a third party unless there is good reason to protect the individual's personal data which overrides legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)”
You can refer to the ICO guidance on the lawful basis for processing for more information.
With regard to people management processes, examples of legal processing may include:
- The requirement for a separate consent to hold their data on areas such as name, address, contact details, age or bank details. All of these are required to ensure they can be paid and their pension arrangements are met.
- The statutory requirement for the holding of maternity MATB1 records.
Data protection by design and default, and Data Protection Impact Assessments (DPIAs)
Under the GDPR technical and organisational measures must be in place to show that consideration has been given and there is integrated data protection in any processing activity. For example, if you are planning to install a new CCTV monitoring system in the workplace you could carry out a Data Protection Impact Assessment (DPIA).
DPIAs are a tool that may help identify the most effective way to comply with the data protection obligations and meet individuals' expectation of privacy. They are not a legal requirement but the ICO has promoted their use. The ICO's Code of Practice 'Conducting privacy impact assessments - code of practice' on the ICO website provides more information.
Where a revision to an existing technology, project or activity may result in 'high risk' to data protection rights of the individuals, then the DPIAs will now be mandatory each time an organisation plans or proposes this activity. For example, if a new swipe-card system for letting staff in and out of the building and moving around the building is proposed, as this can monitor the whereabouts of staff but the overriding reason for having the system is for security then a DPIA should be carried out.
3. Follow the Information Commissioner's Office (ICO) 12-point plan
Once you understand what the legislation requires you can follow this 12-point plan from the ICO to help you comply with the GDPR.
Change: GDPR has changed previous data law and people need to be aware.
Action: Key people such as the Board and managers should be aware of the changes and the effects of those changes. Staff should be trained on a regular basis: 'regular' is not defined, but the view is to have annual training.
2. Information you are holding
Change: Where a company shares inaccurate personal data with another body, the company must inform the other body of the inaccuracy.
Change: Companies now have to show how they are compliant with GDPR.
Action: Companies should carry out an information audit to determine exactly what data they are holding, where the data originated, how long it has been held and with whom they share the details.
3. Communication of privacy information
Change: Whilst under the DPA privacy notices were advised, under GDPR additional information has to be given to individuals about their data being obtained.
Action: Review any privacy notices and policies and update where required. For example, it is now a requirement to issue a privacy notice to job applicants.
4. Individual's rights
Change: The GDPR has enhanced the individual's rights. They are the right to rectification (ie the wrong date is corrected); the right to be forgotten (ie the data is erased); the right to restrict processing (ie the individual will say what they want the data to be used for); the right to data portability (ie individuals can obtain and reuse (move, copy and transfer) their personal data for their own purposes across different sectors); the right to object (ie the individual can object to the holding of data); the right not to be subject to automated decision-making and profiling (for example the individual can state they do not wish to be part of a recruitment automated decision-making process).
Action: Adherence to those rights.
5. Subject Access Requests (SARs)
Change: The timescale under the GDPR will be 30 days (previously 40).
Change: No fee can be charged (previously £10) although if the request is deemed unreasonable, a fee may be imposed.
Change: Additional information may be provided to individuals, for example, the right to have inaccuracies corrected.
Action: Review the data processing that is carried out and then identify and document the legal basis for the data processing.
6. Legal basis for processing personal data
Change: Privacy notices must contain the legal basis for processing the data. Individual's rights will vary according to the legal basis for processing the data.
Action: Review the data processing that is carried out and then identify and document the legal basis for the data processing.
Change: Data controllers must be able to show that consent has been given. Consent must be given freely, and be specific, clear and informed.
Action: To ensure compliance, you should review all methods for seeking and obtaining consent.
Change: Consent of the parent or guardian must be given to process personal information about children.
Action: Review methods for seeking and obtaining consent.
9. Data breaches
Change: There are specific requirements about the reporting of a breach.
Action: Ensure processes are in place to detect, investigate and report personal breaches. Ensure staff understand what is meant by a breach and the breach report protocol.
10. Data protection by design and DPIAs
Change: Organisations must promote privacy and data protection compliance. DPIAs must be used where applicable.
Action: Understand when and how DPIAs should be used.
11. Data Protection Officers (DPOs)
Change: Large businesses and public authorities have to appoint a DPO.
Action: If required, have a designated DPO. Take advice if you are not sure.
Change: This creates a system for determining which data protection supervisory body should be considered.
Action: If you operate internationally, give consideration which supervisory body is appropriate for you.
Tools and resources
Use the GDPR compliance checklist to help ensure you meet all of your obligations as an employer.
The materials on this site are for guidance only and do not constitute legal or other professional advice. You should consult your professional adviser for legal or other advice.
The CIPD is not liable for any damages arising in contract, tort or otherwise from the use of or inability to use this site or any material contained in it, or from any action or decision taken as a result of using the site.
This site offers links to other sites thereby enabling you to leave this site and go directly to the linked site. The CIPD is not responsible for the content of any linked site or any link in a linked site and the inclusion of a link does not imply that the CIPD endorses or has approved the linked site.