In tackling GDPR don’t overlook your employer responsibilities
GDPR. Four letters of the alphabet that are proving to represent one of the biggest challenges facing businesses in 2018. The General Data Protection Regulation (GDPR) comes into effect on 25th May across the European Union (including the UK) and impacts any organisation that operates within the EU and/or that processes data of EU citizens wherever they may be in the world. How organisations hold, store and process personal data will now be subject to higher, and more consistent, scrutiny with the potential penalty for non-compliance being significant.
Much attention is already being given to how customer data is handled under GDPR especially in the hospitality sector where hotels in particular process a high volume of personal information and payment data. GDPR does not only however impact how a business interacts with its external customers but also how it manages data internally with regards to its employees. In an industry such as hospitality where the labour force is so often highly diverse and comprised of multiple nationalities very few organisations will be unaffected by GDPR. To explore the burden being placed on employers we spoke to Adele Martins, Partner and head of the Employment Department at law firm Magrath Sheldrick LLP.
Adele, how far does GDPR go beyond existing data protection regulations when it comes to how employees’ details are handled?
The GDPR is considerably stricter in its requirements than the UK’s Data Protection Act (DPA). Whilst there are some similarities in relation to the categories of data, the obligations placed on controllers / processors of personal data are stricter, and the penalties very considerably higher. The publicity around the GDPR is a good thing as it will encourage businesses to take their actions in relation to data much more seriously.
Personal Data is enormously valuable and I think people are playing catch up. Individuals do not realise how / why / where their data is processed and transferred and with technology ever evolving I think creating awareness and enabling people to make informed choices about their data is vital. As such, the requirement for Privacy Notices to be issued to data subjects before data is captured and processed is a great leap forward.
What qualifies as ‘sensitive data’?
Sensitive data is just that – information about you that is more sensitive and consequentially you are likely to want to keep more confidential. For example most people will not regard their name as particularly sensitive data – many will be on employer’s websites as mine is on ours. However people will regard information about their health or their sexual orientation as more confidential.
Technically Sensitive Personal Data or Special Categories of Data include information about a person’s race or ethnic origin, their health or sex life, their sexual orientation, political opinions, religious / philosophical beliefs, trade union membership and genetic and biometric data.
How is employee consent defined and best obtained?
The GDPR makes it clear that consent must be freely given, specific, informed and unambiguous. It can no longer be implied from silence, pre-ticked boxes or inactivity. The difficulty with the employment relationship is the inequality of bargaining power between employee and employer, suggesting that the old mechanism of including an agreement to “consent” to the processing of personal data in an employment contract is no longer likely to be enforceable. Can it realty be said to be freely given if execution of the contract is conditional upon it?
My recommendation is a separate, clearly draft Privacy Notice, which sets out all of the information that the employee is required to be given but is distinct and separate from their contract of employment. The contract can, of course, refer to the employer’s privacy policy or data protection policy, but it is sensible for the issue of “consent” to be separate. Ideally the Privacy Notice will require the employee to acknowledge that they have read and understood it, and separately request consent for processing.
Ultimately an employer wants to be able to rely on an alternative justification for the processing, such as processing the data to perform obligations under a contract of employment; in accordance with the employer’s legitimate interests or to comply with the employer’s legal obligations. Consent should not be regarded as the goal, but rather the icing on the cake. That said, explicit consent is required for the processing of sensitive / special categories of data, cross border transfers or decisions based on automated processing. I am advising a “consent plus X” approach.
A lot of businesses have external suppliers who are exposed to personal employee information, for example payroll providers. With which party does responsibility for GDPR compliance lie?
That’s a great question and one causing some consternation. However the simple answer is …. Both! One will be the controller (normally the party that collects the data and makes decisions as to what to do with it) and the other will be the processor (the party that is passed the data by the controller and essentially told what to do with it). Both controllers and processors have extensive obligations under the GDPR. The advice to controllers must be to ensure that they have appropriate agreements in place with their providers to ensure that those providers (processors) are contractually obliged to ensure that they are processing data appropriately.
What are your guidelines around how ex-employee data is best handled? For how long should data be stored before being destroyed?
Again, something that is causing concern. Many HR professionals have a habit of retaining all data for as long as possible. However, under the GDPR that is just not appropriate any more. Anyone responsible for processing personal data needs to ask themselves how long they actually need the information for and what purpose it could realistically have.
In relation to employment records, there is an argument for holding a substantial amount of information for some time after employment ends – on the grounds that a breach of contract claim could be brought up to 6 years after employment ends and a claim for personal injury for up to 3 years from the date of injury. However, as the time limit for Employment Tribunal claims for unfair dismissal, discrimination etc. is considerably less one should question the purpose of holding information for longer. For example, clearly there is a rationale for retaining the contract of employment and other contractual information for over 6 years (maybe 6.5 years) in order to defend a claim for breach. However, whilst there may be a justification for holding records of sick days and sick pay for that period, i.e. to defend a breach of contract claim, would you really need the information as to the reasons for those sick days? Would you need information on someone’s sexual orientation, or race?
Employers need to undertake proper data audits and consider what information they need to hold on to and why. After 6.5 years I can see no justification for holding any information other than dates of employment and position held for reference purposes.
If you are, say, a hotel in New York and you employee a French national in the kitchen are you subject to GDPR? What rights does the employee have in that situation?
The GDPR is interesting (I accept not to everyone but bear with me) in that it stems from the EU, and is designed to protect EU nationals BUT has implications worldwide. The GDPR applies to data controllers / processors outside of the EU if they are offering goods / services to individuals within the EU or are profiling the behaviour of individuals within the EU. There must be an intention to offer goods / services to those individuals, as opposed those goods / services simply being accessible (perhaps evidenced by a local language / currency etc.) and monitoring includes tracking and profiling (online behavioural analysis – i.e. collecting info about websites visited) but if those scenarios apply then the GDPR applies. It applies even if processing happens outside of the EU and whether or not there is an establishment within the EU!
So, a hotel in NY employing a French national is processing the personal data of an EU national but that EU national is not within the EU. Does that mean they are off the hook? No. The EU national is still likely to be protected by the GDPR – not least because they are bound to return to the EU at some point and the processing will not stop when they do.
Unless a business does not employee EU nationals, does not offer goods or services to individuals within the EU (and who can truly say that), does not monitor website activity from the EU then they are likely to be caught by the GDPR and given the levels of possible fine, should start getting processes in place to ensure compliance.
What are the sanctions for failing to comply?
The maximum sanction under the GDPR is a whopping Euro 20,000,000 or in the case of a corporate undertaking 4% of global annual turnover – so potentially much higher than the maximum Euro 20 million figure. Whilst fines of such magnitude will only apply to the most serious breaches, authorities can issue fines of up to Euro 10 million or 2% of worldwide annual turnover for lesser infringements – so still a very serious incentive to comply.
That said, the adverse publicity is likely to be a very serious deterrent for most businesses. People are becoming much more aware of their data rights, and no business wants to be seen to be exploiting those or failing to keep data safe, let alone selling it or misusing it for example by processing that data for reasons other than those for which it was collected.
What 3 things should every employer be making sure they have in place before 25th May?
Appropriate data protection personnel internally and at a senior level tasked with understanding the requirements of the GDPR, who can undertake a comprehensive data audit, understand and implement the processes and procedures needed to ensure compliance, and ensure that data is properly managed to minimise risk to data subjects, and to the business.
Appropriate security measures to ensure that personal data is properly stored, securely processed, retained only for as long as necessary and then appropriately destroyed.
Appropriate Privacy Notices (both with employees and other data subjects) to ensure that the individuals in question understand what data they are providing, how and why it will be processed and how it will be protected.
And that’s before you start thinking about website notifications, terms of business with customers / clients and business partners, hardware and software security etc., Many business are daunted by the task and some are sticking their heads in the sand as a result. It is however a task that needs to be tackled, and with luck a data audit will identify many areas in which businesses are already complaint. The rest is doable and not as onerous as it seems but it does require commitment in terms of time and resources to ensure that it is done properly.
A sledgehammer to crack a nut? Or a necessary evil to ensure that personal data is protected and not exploited. I’ll admit that even with a background in the DPA I started the GDPR journey thinking that it could well be the former – but in all honesty I don’t think it is. I think in a world where personal data has so much value, and the potential to be used in so many ways, it is vital that it is properly protected. The law is only just getting started!
Chris Mumford, Managing Director, AETHOS Consulting Group
Adele Martins, Partner and head of the Employment Department at law firm Magrath Sheldrick LLP