The Data Protection Act 1998 requires businesses to follow the eight data protection principles of good information handling. However, data protection law is changing on 25 May 2018 and the Data Protection Act is being replaced by the General Data Protection Regulation (GDPR). There are no exemptions based on size or sector — all organisations must comply with its requirements. Paul Tew, small business consultant and freelance advisor, looks at what the new laws mean for employers handling personal data and the much tougher punishments for non-compliance with data protection law.
The GDPR applies to “controllers” and “processors”. A controller determines the purposes and means of processing personal data. A processor is responsible for processing personal data on behalf of a controller.
Personal data means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed, accurate and where necessary, kept up to date.
The GDPR applies to both automated personal data and to manual filing systems. Employers must have a valid lawful basis in order to process personal data. Most lawful bases require that processing is “necessary”. If you can reasonably achieve the same purpose without the processing, you do not have a lawful basis.
Consent is one lawful basis for processing, but there are alternatives. If currently relying on individuals’ consent to process their data, make sure it will meet the GDPR standard on being specific, with a positive opt-in, properly documented and capable of being easily withdrawn at any time. Consent must also be separate from other terms and conditions of the employment, so use a separate form for this, rather than including it as a term within an employment contract.
Under GDPR, it is necessary to keep an inventory of the personal data that is being processed. This inventory needs to cover the data categories being held and this includes payroll and employee benefits data.
The rights of individuals
On the whole, the rights individuals will enjoy under the GDPR are the same as at present but with some significant enhancements. The GDPR provides eight basic rights for individuals.
The right to be informed, typically through a privacy notice.
The right of access to their personal data and other supplementary information.
The right to rectification, if personal data is inaccurate or incomplete and for this to be done without undue delay.
The right to erase, making a request for the deletion or removal of personal data where there is no compelling reason for its continued processing.
The right to restrict processing of personal data, for example, where an individual contests the accuracy of the personal data, employers should restrict the processing until the accuracy of the personal data has been verified by HR/payroll.
The right to data portability, which allows individuals to obtain and reuse their personal data for their own purposes across different services.
The right to object, for example, processing personal data for direct marketing purposes.
Rights in relation to automated decision-making and profiling.
The use of employee self-service HR software, so that employees can both see, and where appropriate amend, the data that an employer holds about them may help in complying with these rights.
All businesses should check their procedures to ensure they cover all the rights individuals have. To satisfy these rights it will be necessary to review what payroll and benefits data is collected, how it is used, where it comes from and goes to (transferred to other countries), where it is held, for how long and how it is destroyed. It may be advisable to document employee information and carry out a data audit prior to the GDPR coming into effect.
If HR or payroll data is shared with any third parties, eg payroll bureaux, then employers must have a GDPR-compliant data sharing contractual agreement in place. Any external service provider will be required to, among other things, maintain records of personal data and implement appropriate security measures.
Data protection impact assessments can be used to identify the most effective way to comply with data protection obligations and meet individuals’ expectations of privacy, for example, where a new technology is being deployed.
A fair processing (privacy) notice should give employees clear information about what is happening with their personal data. It should describe the purpose of processing personal data, for example, to allow employers to fulfil their contractual obligations to employees in order to pay wages or salary, award paid time off, recording absences, etc.
Individuals must be notified of the existence of their personal data rights. The information supplied to employees about the processing of personal data must be concise, transparent, intelligible and easily accessible, written in clear and plain language and free of charge.
How to handle subject access requests
Individuals can find out what personal data about them is being held by an employer, why it is held and who it is disclosed to. In most cases, the employee cannot be asked to pay a fee for making a request to access their personal data, but employers can refuse or make a charge for any requests that are obviously unfounded or excessive. Employers will have to comply with requests more quickly under the GDPR, normally within a month, rather than the current 40 days. Consideration should be given as to whether it is feasible or desirable to develop systems that allow individuals to access their information easily online.
Personal data breaches
In most cases, if there are personal and payroll data breaches, such as an accidental or unlawful loss, or disclosure of personal data then this must be reported and key information given to the appropriate parties, eg employees where there is a high risk to the rights and freedoms of the individuals and the Information Commissioner’s Office (ICO). This should be within 24 hours where possible, but at least within 72 hours. An example, would be an email containing pay data sent to an incorrect address.
The business should have in place procedures to effectively discover, report and investigate a personal data breach. Someone in your organisation must have responsibility to investigate and contain a breach, and make a report. Failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.
It will not be sufficient to simply state that the GDPR has been complied with. Employers will be required to demonstrate how compliance has actually been achieved. Failure to comply with the regulation will result in harsher penalties than now. Currently, the ICO can impose fines up to £500,000 but the GDPR could see penalties being charged of up to €20 million or 4% of annual global turnover, whichever is the higher figure.
There is a dedicated advice line that offers help to small organisations to prepare for the new data protection law. To access the new service dial the ICO helpline on 0303 123 1113 and select option 4.
Last reviewed 6 February 2018