On 25 May 2018, the EU’s General Data Protection Regulation (GDPR) came into force and many of you will be breathing a sigh of relief that you got things done in time.
If you didn’t, don’t panic as it’s highly unlikely that you’ll be pursued by the Information Commissioner. The important thing is to be able to show that you are actively engaging with the process of complying with GDPR. Many businesses are taking a positive approach that this is ‘work in progress’ which was always going to extend beyond the deadline. Remember also that the new Data Protection Bill (which implements the GDPR into UK legislation) is still making its way through parliament).
I know from talking to GPs and PMs that the lead up to 25th May has been hectic and, because of the huge amount of work to be done, decisions have been made on what to prioritise … what’s most important and what can wait. Quite rightly, most of you have specifically tailored your GDPR planning to the key areas of risk you face, where enforcement action is more likely in the event of a data breach, so you’ve tended to focus on patient data.
HR and employee data
For some practices, GDPR requirements in relation to employee data have been put on the back burner. If this is the case, you should be making every attempt now to ensure you can demonstrate compliance with the new regime.
What you need to do:
- Audit how the personal data of employees, job applicants and self-employed contractors is processed (and any other type of ‘worker’)
- Remove consent clauses from employment contracts as they will no longer be valid (this will apply to new employees’ contracts – you don’t need to re-issue contracts to existing staff, the new privacy notice will suffice)
- Update data privacy notices (these may separate documents or be included in, for example, your data protection policy for staff; job application or recruitment packs)
- Review contract terms with third party suppliers, for example, payroll or HR providers
It’s important to recognise that as with patient data, the way you collect and process data about employees and job candidates will change. Transmission of staff data, particularly data that staff would consider sensitive, for example, their home address or bank details) will need to be reviewed and data security procedures put in place or tightened up.
In recruitment, if you use automatic profiling to filter CVs, you’ll need to notify candidates and, if they object, have an alternative method with human intervention instead.
Overall, the rules around ‘consent’ are now much tighter and raise questions about how free employees really are to give or withhold consent. As mentioned above, consent clauses in employment contracts will be invalid and you will need to establish another legal basis for processing data, for example, a legitimate interest, contractual or legal obligation (or one of the other lawful basis referred to in the GDPR). The legal basis you apply may vary with different types of data and the reasons for processing it.
Subject Access Requests
It surprises me that, even now, many practices do not have a clear process for dealing with employee (or ex-employee) Subject Access Requests (SARs). GDPR has meant that the time in which you must respond to a SAR has reduced from 40 days to one month and you will need to provide the data subject with additional information when delivering the response.
SAR fees (in most circumstances) have been abolished. Couple this with the abolition of employment tribunal fees and you could well see an increase in SARs as they are often used by aggrieved individuals to gather information prior to litigation.
Responding to employee/ex-employee SARs is usually a relatively simple process but one people aren’t always aware of and that’s when things can go wrong, so it’s essential that everyone knows what to do if a request for information is received, how to identify a formal SAR and what to do with it.
There are still grey areas in the GDPR which will, over time, be interpreted by the Courts when legal challenges are made. It’s likely that as our understanding of the legislation evolves, so too will our processes.
My advice is to take a sensible, systematic approach to GDPR across all parts of your business, involve your employees and ensure the new systems become part of the way you do things.
Links to resources:
Topics trending in the forum: