Tag Archive: GDPR

Government publishes Statement of Intent on proposals for new data protection laws

On 7 August 2017, Government publishes its Statement of Intent (SoI) on ‘A new Data Protection Bill: Our planned reforms’. The SoI states that implementation of the GDPR and repeal of the Data Protection Act (DPA) will be done in a way that so far as possible preserves the concepts of the DPA to ensure that the transition for all is as smooth as possible while complying with the GDPR in full.

The Government has 3 main objectives in its approach to data protection law as we prepare to leave the European Union – (1) Maintaining trust; (2) Future trade; and (3) Security.

DLA Piper’s Data Privacy team has published a blog on the SoI here. The key aspects from an employment perspective are as follows:

Rights of individuals

The Bill aims to better protect UK citizens through a combination of new and strengthened existing rights:

  • Privacy – rules around consent are being strengthened and subject to additional conditions such as being unambiguous and easy to withdraw;
  • Improved data access – it will be easier for individuals to require an organisations to disclose the personal data it holds about them at no charge;
  • Right to be forgotten – individuals will be able to ask for their personal data to be erased; and
  • Profiling – individuals will have greater say in decisions that are made about them based on automated processing.


Requirements for organisations

Requirements will be strengthened or amended to reflect the changing nature and scope of the digital economy. The aim is to build accountability but with less bureaucracy – administrative and financial burdens will be alleviated but there will be increased requirements for data breach notification. The Bill will help to reduce business exposure to risk of data protection breaches and associated fines and reputational damage and will provide a clearer regime for data processing.

Regulator’s powers

The Information Commissioner will retain existing powers and gain additional authority to impose greater sanctions in the event of data breach.

Exceptions and derogations

The Government conducted a ‘Call for views’ on the GDPR derogations which closed on 10 May 2017. The Bill will exercise the available derogations in the GDPR. The most notable are:

  • Giving consent to process data and protecting children online – children aged 13 or older will be able to consent to their personal data being processed;
  • Processing criminal conviction and offence data – the Government will legislate to extend the right to process personal data on criminal convictions and offences so as to enable organisations other than those vested with official authority to process criminal conviction and offences data. It will take a similar approach to that taken for the processing of sensitive categories of data.
  • Automated decision making – the Government will legislate to implement the exemption where suitable measures are put in place to safeguard an individual’s rights, freedoms and legitimate interests eg in relation to a bank check creditworthiness before agreeing to provide a loan; and
  • Research – research organisations will not have to respond to SARs when this would seriously impair or prevent them from fulfilling their purposes; they will not have to comply with an individual’s rights to rectify, restrict further processing and object to processing where this would seriously impede their ability to complete their work and provided that appropriate organisation safeguards are in place to keep the data secure.

Implications

The full detail of how the Government intends to implement the GDPR in the UK to ensure that data transfers to and from Europe post-Brexit are protected will not be clear until the text of the Bill is published. There are welcome indications that the Bill will deal with some aspects of the GDPR which could otherwise have been problematic for UK employers such as the prohibition on processing data about criminal records. It remains to be seen whether the Bill will deal with other problem areas such as the GDPR’s lack of exemptions to data subject access requests which could lead to employers being required to disclose privileged information. However, the SoI is helpful in further articulating the UK Government’s commitment to the adoption of the GDPR both pre- and post-Brexit.

Permanent link to this article: http://www.dlapiperbeaware.co.uk/government-publishes-statement-of-intent-on-proposals-for-new-data-protection-laws/

How to prepare for GDPR: Implementing a compliance programme

In the latest in our series of briefings on preparing for GDPR, we focus on the steps necessary to implement a GDPR compliance programme. With only one year to go until GDPR comes into force on 25 May 2018, it is vital that organisations take action now to ensure that they are ready to comply with GDPR, in order to be in a position to meet regulatory standards, and minimise risk.

The aim is to be compliant by 25 May 2018 but this may be challenging so it is sensible to focus on the most important and risky areas first. The key features of the implementation of a compliance programme are to:

  • Assemble a project team;
  • Assess potential areas of exposure in your current working processes;
  • Develop a clear plan of action to be ready for 2018;
  • Implement changes needed in a logical / prioritised manner; and
  • Establish an effective information governance framework to manage risk.

Assembling the team

Implementation of a GDPR compliance programme requires a substantial investment of money, organisational resources and management time. It is vital to identify key stakeholders and ensure that the organisation has board or senior management buy-in to support the project.

Employers should first determine whether or not a DPO must be appointed. Even if the organisation is not required to appoint a DPO, it should assign an individual the responsibility for compliance with data protection legislation. The data protection lead will then need to bring together a team from within the organisation with the necessary skills and expertise . Legal, HR, IT, and compliance teams will need to take an integrated approach. Technical and/or specialist support may be required to understand where the organisation currently holds personal data, and whether or not current systems are capable of operating within the parameters required to comply with the GDPR.

Once the team is in place, they will need to work with each business area to identify the specific privacy risks that the organisation is exposed to and how these can be mitigated or avoided.

Conducting an initial risk assessment

The first step is to undertake an assessment of current practice – how the business collects, uses and shares personal data and how you regulate all this effectively within the business (ie proper record keeping, training, guidance, audit processes).

The next step is to identify and prioritise the gaps between where the organisation is now and where it wants to be by reviewing existing data practices against GDPR requirements. This exercise should be used to assess the level of privacy risk that the organisation is exposed to, based on:

  • The amount and type of data processed (eg if it is sensitive personal data);
  • The reason for processing;
  • Who it is shared with (eg if it is transferred to processors or other parties); and
  • Locations in which processing occurs (eg if it is transferred outside the EEA).

Establishing a GDPR compliance action plan

Once the organisation has conducted an initial audit and risk assessment, the next step is to create an action plan and timeline for developing and implementing a GDPR compliance programme. This should include the following steps:

  • Prioritise compliance activity and remedial measures based on areas with the highest risk;
  • Create a data register to meet GDPR recordkeeping requirements;
  • Review systems and processes. Can the organisation’s IT systems and processes cope technically with the expanded individual rights?
  • Create and/or review privacy policies and procedures with clear and practical guidance on GDPR compliance;
  • Review and update current privacy notices;
  • Integrate privacy by design and default. Collect the minimum amount of information and consider privacy from the outset of each project involving personal data;
  • Prepare for data breach notifications. Develop a data breach response programme for prompt notification and investigation.
  • Provide training on data protection policies and procedures, and specific training for individuals who process data;
  • Implement regular audits against defined metrics (eg number of privacy complaints, completion of training, data breaches suffered) to assess the ongoing success of the compliance programme; and
  • Review staffing requirements for ongoing data protection compliance;

How we can help

DLA Piper’s employment team have a wide range of experience in the field of employer data privacy, and are actively involved in assisting clients to prepare for GDPR. We can help you to:

  • Identify existing data systems and the personal data processed throughout the employment lifecycle from recruitment to termination and beyond;
  • Understand the legal basis for processing and identify what will need to change to comply with the new regime;
  • Identify particular risk areas where use of data could be exploited to delay or disrupt business critical decisions; and
  • Develop and implement policies or changes to HR practices and procedures to manage potential GDPR issues and support compliance.

 

Permanent link to this article: http://www.dlapiperbeaware.co.uk/how-to-prepare-for-gdpr-implementing-a-compliance-programme/

Practical impacts of GDPR on the employment relationship

In the next of our series of briefings on the General Data Protection Regulation (GDPR) we focus on some more of the practical impacts of GDPR on the employment relationship and what businesses can do to manage these and prepare for implementation by May 2018.

Data subject access requests

Under the GDPR, employees will have the right to much more detailed, transparent and accessible information about the processing of their data. Data subject access requests will be easier for employees. In most cases employers will not be able to charge for complying with a request and normally will have just a month to comply, rather than the current 40 days. The removal of the £10 subject access fee is a significant change from the existing rules under the Data Protection Act (DPA).

Where requests are complex a two month extension is possible, giving a total of three months to comply. Where requests are manifestly unfounded or excessive, in particular because they are repetitive, employers can  either charge a reasonable fee (not capped) taking into account the administrative costs of providing the information, or refuse to respond.

Guidance will hopefully give an indication in due course of what sorts of requests could be viewed as complex, unfounded or excessive. However, the ICO is very unlikely to consider a request from an employee as complex, unfounded or excessive, even if they are asking for all their data, unless they have made a previous request recently. The ICO will expect employers to keep information in a manner which means they can locate and supply information within the initial month.

Where an employer intends to delay the response or refuses to respond to a request, the employer must write promptly to the individual within the month explaining why the request is refused or delayed. The employer must also inform them of their right to complain to the supervisory authority and to a judicial remedy.

The DPA contains various exemptions to the duty to disclose such as in relation to legal privilege but at present, the GDPR contains no such exemptions which an employer can rely on to avoid provision of the employee’s personal data. It may be that, in the UK at least, the doctrine of privilege will ‘trump’ data protection rights, but that remains to be tested.

Employers need to update procedures and plan how to handle requests within the new timescales. The GDPR introduces a new best practice recommendation that, where possible, organisations should be able to provide remote access to a secure self-service system which would provide the individual with direct access to his or her information. This will not be appropriate for all organisations, but there are some sectors where this may work well. In any event the ICO will expect employers to keep employee personal data in a manner which means that requests for access can be responded to promptly.

What this means in practice is that employers will need sophisticated policies and IT systems to manage DSARs within reasonable timeframes. In order to prepare for compliance, employers should take steps now to:

  • Update procedures and plan how to handle SARs and provide any additional information within the new timescales;
  • Develop template response letters to ensure that all elements of a response to a SAR under the GDPR are complied with;
  • Assess the organisation’s ability to isolate data pertaining to a specific individual quickly and to provide data in compliance with the GDPR’s format obligations;
  • Ensure that employees are trained to recognise and respond quickly and appropriately to SARs.
  • Consider putting a ‘data subject access portal’ in place allowing an individual to access their information easily online.

Automated processing and profiling

Employees have a right under the GDPR to not be subject to a decision made solely by automated processing where that decision significantly affects them. This includes decisions based on profiling (any form of automated processing to evaluate certain personal aspects of individuals, in particular to analyse or predict indicators such as their performance at work, health, personal preferences, reliability, and behaviour).

The ICO recently published a discussion paper on profiling in which it set out its initial thoughts on where automated processing may significantly affect an employee. In their view this includes processing that:

  • Limits rights or denies an opportunity;
  • Affects individuals’ financial or economic status or circumstances;
  • Leaves individuals open to discrimination or unfair treatment;
  • Involves the analysis of the special categories of personal data or other intrusive data;
  • Causes, individuals to change their behaviour in a significant way; or
  • Has unlikely, unanticipated or unwanted consequences for individuals.

It is not difficult to see how these might be the outcome of automated processing of HR data. Areas where employers might currently use automated decision-making, which they should therefore review, include:

  • Recruitment, including automated rejection or shortlisting;
  • Performance management/triggers for sickness absence;
  • Eligibility for attendance bonuses;
  • Holiday or shift rostering;
  • Employee monitoring; and
  • Profiling, particularly where this may impact on selection for talent programmes or career progression rather than purely for development purposes.

From a practical perspective employers need to ensure that where they use automated decision making they can explain how it works and there is another way to make an equivalent assessment of the individual if he/she objects.

In our next briefing we will focus on how employers can audit existing data processing across the employment lifecycle in order to identify risk areas, and how to develop an action plan and timeline to develop and implement a GDPR compliance programme.

Permanent link to this article: http://www.dlapiperbeaware.co.uk/practical-impacts-of-gdpr-on-the-employment-relationship/

Preparing for the GDPR: New employee data subject rights could disrupt core HR procedures

The General Data Protection Regulation (GDPR), due to come into force throughout the EU including the UK on 25 May 2018, will force through a culture change in terms of attitudes to data privacy, according to the Information Commissioner Elizabeth Denham. Speaking at the Data Protection Practitioners’ Conference 2017, Denham warned that organisations risking damaging their brands and their business if they are seen to be cavalier with personal data: “If an organisation can’t demonstrate that good data protection is a cornerstone of their business policy and practices, they’re leaving themselves open to enforcement action that can damage their public reputation and possibly their bank balance. That makes data protection a boardroom issue.”

It is important to recognise that it is also a key HR issue. Data protection will become one of the major issues, and potentially source of disputes,  in the employment context in the next few years. Employers will need to adopt a whole new culture in relation to the processing of HR data in light of more restrictions on processing, new and strengthened rights for employees and much more stringent penalties.

Far from being a stand-alone issue or tick-box exercise requiring nothing more than updated data protection policies, data protection will impact the heart of the employment relationship and the operation of core HR projects and procedures.

The GDPR will make it difficult, if not impossible to rely on consent for processing in the employment context due to new and more restrictive conditions for consent and the ability to withdraw consent at any time.

The most commonly used basis for legal processing of HR data (beyond processing required by law) is therefore is likely to be legitimate interest. Employers will be able to show a legitimate interest in processing ordinary HR personal data for routine HR processes. However, employees have the right to object to their data being processed or to ask for it to be deleted where processing is based on legitimate interests grounds.  If this happens employers must stop the processing unless and until they have confirmed to the employee compelling grounds for the processing which overrides the objection.

Similarly, if employees challenge the accuracy of HR personal data processed by the employer, they can require cessation of processing or deletion of the data unless accuracy is verified.

Although in many cases the employer may be able to show an overriding need to process the data and that it is sufficiently accurate, the employer will be unable to process the data whilst this is established. These rights could be used by  employees individually or collectively to disrupt and delay HR processes such as appraisals, capability procedures, disciplinary and grievance proceedings, restructures and redundancy exercises and TUPE transfers.  Alternatively they may rely on unlawful processing to challenge management decisions in subsequent employment tribunal proceedings as well as making complaints to the Information Commissioner’s Office.

The risk for employers can be mitigated by ensuring that privacy considerations are embedded in each HR process and project, both in their design and in how they are operated.  To minimise the risk of the  disruption specifically highlighted above businesses should take the following steps as part of the wider review preparing for GDPR before it comes into force:

Legitimate Interest Objections

  • Understand where legitimate interest is the correct legal basis for HR data processing, the likelihood of objections, and whether there is likely to be an overriding compelling ground to continue processing in the event of an objection;
  • Establish a process for dealing with objections promptly and efficiently, being clear who has authority to make the judgment.

Accuracy Challenges

  • Consider how accuracy of data relied on by the business is ensured in each HR process and improve processes where necessary;
  • Build in opportunities to review accuracy or raise queries where appropriate; and
  • Establish an efficient process for dealing with accuracy challenges under GDPR including any verification required, authority for sign-off and responding to the employee.

These and other new and expanded rights under GDPR hugely increase the potential for data protection to be used as a weapon in the context of employment disputes and prospective areas of conflict. In future briefings we will focus on different practical impacts of GDPR on the employment relationship and what business can do to manage these and prepare for implementation by May 2018.

On a more general basis, the HR team needs to be an integral part of an organisation’s preparation for the GDPR. We can help you to:

  • Identify existing data systems and the personal data processed throughout the employment lifecycle from recruitment to termination and beyond;
  • Understand the legal basis for processing and identify what will need to change to comply with the new regime;
  • Identify particular risk areas where use of data could be exploited to delay or disrupt business critical decisions; and
  • Develop and implement policies or changes to HR practices and procedures to manage potential GDPR issues and support compliance.

Permanent link to this article: http://www.dlapiperbeaware.co.uk/preparing-for-the-gdpr-new-employee-data-subject-rights-could-disrupt-core-hr-procedures/