How to Avoid a Ridiculously Large Fine for a Breach of Data Regulation (and What To Do With Personal Data Belonging to Your Employees)
What’s the potential fine? Up to €20 million or 4% of annual global turnover, whichever is the greater.
How could you incur this fine? By failing to take steps to ensure your company is compliant with major changes to the regulations regarding the possession and processing of personal data.
Does it apply to me? Yes. If your company is in possession of ANY personal data you must make sure you are processing it in a manner that complies with the new data protection regulation: the General Data Protection Regulation (GDPR). The GDPR will be active from 25 May 2018.
What is personal data? Any data from which an individual can be identified. The new regulations will apply even if the data you hold is as minimal as keeping a name together with a telephone number Importantly, personal data includes any data you hold about your employees. On a practical note it includes bank details, payroll information and addresses (assuming an individual can be identified in conjunction with this information). But perhaps less widely understood is that it also includes any emails, communications and files (including personnel files) where an individual is the subject matter. The GDPR applies as much to a small business where the possession and processing of personal data is incidental to the business as it does to companies that actively collect personal data.
But the person whose data I have gave me consent to use it. You still need to check that the consent you obtained would remain valid under the new regulations. The ability to freely give consent has been specifically addressed by the GDPR and in some cases “consent” that has been given in the past will no longer be valid. In particular, “consent” given by employees for the processing of their personal data is unlikely to remain valid under the GDPR.
But how can I employ someone if they don’t consent to me processing their personal data? Clearly, an employer requires an employee to provide them with data such as a bank account, address etc, in order for the employment relationship to function. However, until now it has been possible to obtain this information and comply with the current data protection regulations by including a “consent” clause in the employment contract. It is unlikely this form of consent would be accepted under the GDPR.
As employees are generally in a weaker position than an employer, a requirement for them to consent to the processing of their personal data as part of the terms of their employment is unlikely to be viewed as consent that has been “freely given”.
Instead, the GDPR provides alternatives to the requirement to obtain consent. Essentially, if you can show that the processing of the data is “necessary” and being carried out in a manner that complies with the GDPR, you may not need to obtain specific consent to process your employees’ personal data. The GDPR sets out five scenarios where it can be “necessary” to process personal data. One is in order to perform a contract, which seems potentially the most apt where the reason for processing without consent would be in order to fulfill an employment contract.
What steps should I take to ensure I comply with the GDPR when processing my employees’ personal data?
A: Carry out a review of all the employee personal data you hold. Examine why you have that information, how it is stored and the reasons why you need it. Keep records of the review you follow and document your conclusions.
B: Make sure you are satisfied of the legal basis you are relying on to process your employees’ personal data. If you no longer expect to rely on having their consent, determine which of the “necessary” reasons you will rely on instead.
C: Provide all employees with details regarding the processing of their personal data (a privacy notice). Amongst other things this should include the legal basis you are relying on to carry out the processing, how their data will be used, whether their data will be shared and how long it will be kept. You should also include information about their rights to request copies of the information that you hold about them, to request amendment to it if it is wrong or deletion if you no longer need the data and their right to complain to the ICO if they are not happy about an aspect of their data being processed.
D: Make sure that you have an up to date Data Protection Policy of which all staff are aware.
E: Implement a system for processing that is designed to comply with the GDPR. This should include looking at how you would delete personal data or provide it electronically if requested to do so. If you use a third party for any data processing, such as payroll, make sure you are satisfied that they will process any personal data you provide in line with the GDPR’s requirements.
F: Consider whether you need to formally appoint a Data Protection Officer. From an HR perspective this may be required if you have a large number of employees whose data is processed on a regular and systematic basis.
The above information gives an overview of matters to consider for compliance with the GDPR. If you would like more detailed advice or assistance with ensuring your company is GDPR compliant from an HR perspective, I will be happy to help.