On 25 May 2018 the much awaited GDPR came into force. This piece of EU legislation will have a significant impact on the requirements employers must fulfil in order to lawfully collect and process personal data about their employees.
It’s therefore important that employers are not only aware of the changes and new rights for data subjects, but put in place key documents required to demonstrate compliance.
Data Protection and Retention Policies
The GDPR makes wide ranging changes to the basic data principles and the rights of individuals in relation to data. The Data Protection Act 2018, also brought into law on 25 May, sits alongside and expands on some areas of the GDPR.
This means that data protection policies written to comply with the Data Protection Act 1998 will need to be updated. For example, any internal data protection policies will need to replace reference to the principles under the 1998 Act with the principles under the GDPR and should cover the bases on which the organisation will process personal and sensitive information.
Additionally, any internal data protection policy should cover how the employer will deal with criminal records information relating to staff, the obligations on employees to comply with the policy and consequences for failing to do so, and who employees should contact if they wish to exercise any of their rights or to report a data protection breach.
It is also important that, either within the data protection policy or as a stand-alone document employers have a clear retention schedule relating to the documents they process. For each document processed, this schedule should specify either how long this document will be kept for or what test will be applied to calculate when the document is no longer needed and can be destroyed. For example, many employment related documents can be destroyed 6 years after the employment has terminated, as this is the limitation period for any contract based claims in the county court.
Many organisations will be familiar with using privacy or ‘fair processing’ notices for customers, which informs them what data will be collected and how this will be processed. In order to comply with the requirements under the GDPR that employers process data fairly and transparently all current and prospective employees should now also be issued with privacy notices.
These notices should set out:
• what data is collected and why;
• how the data will be collected;
• how the data will be used;
• who the data may be shared with;
• how long the data will be kept for;
• where the data will be held; and,
• whether the data will be transferred outside the EEA.
Information collected is likely to include names and contact details of the employee, their emergency contacts, their bank account details, information about grievances involving or about the employee, and sickness/absence records. It’s important that each type of data and reason for processing is listed as it won’t be possible to use “catch all” clauses to cover anything that the privacy notice doesn’t explicitly list.
For prospective employees, privacy notices can be included with the standard information pack whilst existing employees can be signposted to an accessible copy of the notice, such as on the organisation’s intranet.
Agreements with Third Parties
There are many circumstances in which personal data of employees may be shared with third parties, such as payroll or pension providers. Under the GDPR, data controllers must have a written contract with third parties they share data with under which the third party gives guarantees that they will act in accordance with the GDPR.
Agreements with third parties should therefore specify:
• the third party will only process the data provided on the employer’s written instructions;
• employees of the third party and other persons who will process the data have a duty of confidentiality;
• the third party will assist the employer in dealing with subject access requests and circumstances in which individuals exercise their rights (such as the right of rectification);
• the third party will notify the employer of any data breach;
• the third party will delete or return all personal data at the end of the contract, and submit to any audits and inspections as requested by the employer; and,
• sub-processors may only be engaged by the third party with the employer’s consent.
Where contracts with third party processors currently do not cover the above, then you may wish to consider varying these agreements or entering into an additional data processing agreement. In future it is likely that industry standards or kite marks will develop to assist in identifying suppliers which are compliant with these requirements.
If you would like any assistance in reviewing or preparing any of the documents mentioned above to comply with the GDPR, please contact your usual contact in the Employment and Pensions team.