The General Data Protection Regulation (GDPR), due to come into force throughout the EU including the UK on 25 May 2018, will force through a culture change in terms of attitudes to data privacy, according to the Information Commissioner Elizabeth Denham. Speaking at the Data Protection Practitioners’ Conference 2017, Denham warned that organisations risking damaging their brands and their business if they are seen to be cavalier with personal data: “If an organisation can’t demonstrate that good data protection is a cornerstone of their business policy and practices, they’re leaving themselves open to enforcement action that can damage their public reputation and possibly their bank balance. That makes data protection a boardroom issue.”
It is important to recognise that it is also a key HR issue. Data protection will become one of the major issues, and potentially source of disputes, in the employment context in the next few years. Employers will need to adopt a whole new culture in relation to the processing of HR data in light of more restrictions on processing, new and strengthened rights for employees and much more stringent penalties.
Far from being a stand-alone issue or tick-box exercise requiring nothing more than updated data protection policies, data protection will impact the heart of the employment relationship and the operation of core HR projects and procedures.
The GDPR will make it difficult, if not impossible to rely on consent for processing in the employment context due to new and more restrictive conditions for consent and the ability to withdraw consent at any time.
The most commonly used basis for legal processing of HR data (beyond processing required by law) is therefore is likely to be legitimate interest. Employers will be able to show a legitimate interest in processing ordinary HR personal data for routine HR processes. However, employees have the right to object to their data being processed or to ask for it to be deleted where processing is based on legitimate interests grounds. If this happens employers must stop the processing unless and until they have confirmed to the employee compelling grounds for the processing which overrides the objection.
Similarly, if employees challenge the accuracy of HR personal data processed by the employer, they can require cessation of processing or deletion of the data unless accuracy is verified.
Although in many cases the employer may be able to show an overriding need to process the data and that it is sufficiently accurate, the employer will be unable to process the data whilst this is established. These rights could be used by employees individually or collectively to disrupt and delay HR processes such as appraisals, capability procedures, disciplinary and grievance proceedings, restructures and redundancy exercises and TUPE transfers. Alternatively they may rely on unlawful processing to challenge management decisions in subsequent employment tribunal proceedings as well as making complaints to the Information Commissioner’s Office.
The risk for employers can be mitigated by ensuring that privacy considerations are embedded in each HR process and project, both in their design and in how they are operated. To minimise the risk of the disruption specifically highlighted above businesses should take the following steps as part of the wider review preparing for GDPR before it comes into force:
Legitimate Interest Objections
- Understand where legitimate interest is the correct legal basis for HR data processing, the likelihood of objections, and whether there is likely to be an overriding compelling ground to continue processing in the event of an objection;
- Establish a process for dealing with objections promptly and efficiently, being clear who has authority to make the judgment.
- Consider how accuracy of data relied on by the business is ensured in each HR process and improve processes where necessary;
- Build in opportunities to review accuracy or raise queries where appropriate; and
- Establish an efficient process for dealing with accuracy challenges under GDPR including any verification required, authority for sign-off and responding to the employee.
These and other new and expanded rights under GDPR hugely increase the potential for data protection to be used as a weapon in the context of employment disputes and prospective areas of conflict. In future briefings we will focus on different practical impacts of GDPR on the employment relationship and what business can do to manage these and prepare for implementation by May 2018.
On a more general basis, the HR team needs to be an integral part of an organisation’s preparation for the GDPR. We can help you to:
- Identify existing data systems and the personal data processed throughout the employment lifecycle from recruitment to termination and beyond;
- Understand the legal basis for processing and identify what will need to change to comply with the new regime;
- Identify particular risk areas where use of data could be exploited to delay or disrupt business critical decisions; and
- Develop and implement policies or changes to HR practices and procedures to manage potential GDPR issues and support compliance.