General Data Protection Regulation (GDPR) Overview

The General Data Protection Regulation (GDPR) came into force throughout the EU on 25 May 2018. The aim of the GDPR is to have a common set of rules on data protection applicable across the EU. It is also intended to put data privacy higher up the agenda for businesses and to establish much tougher penalties for data breaches.

The applicability of the GDPR will not initially be affected by Brexit. The Data Protection Act 2018 has now repealed and replaced the Data Protection Act 1998 and covers some derogations from GDPR.  In the longer term, as part of the Brexit process, the UK government will seek to put alternative arrangements (such as a unilateral ‘Privacy Shield’ agreement with the EU) that will allow the UK to share data with EU Member States post Brexit.

This fact sheet provides an overview of how the GDPR (which we use as a coverall term to cover GDPR and the Data Protection Act 2018) may be relevant to employment matters. It is not intended to be a comprehensive guide to an organisation’s obligations under the GDPR and you should seek specialist legal advice on this from a data protection lawyer.

The historical position

Data protection in the UK before May 2018 was governed by the Data Protection Act 1998 (DPA). The DPA contained eight basic principles:

1. Personal data shall be processed fairly and lawfully and shall not be processed unless certain conditions are met in relation to personal data and additional conditions are met in relation to sensitive personal data.  The conditions are:
2. The data subject has given his consent to the processing, or
3. The processing is necessary for the various purposes set out in the DPA.
4. Personal data shall be obtained only for one or more specified and lawful purposes and shall not be processed in any manner incompatible with that purpose or those purposes.
5. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. 
6. Personal data shall be accurate and, where necessary, kept up to date. 
7. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. 
8. Personal data shall be processed in accordance with the rights of data subjects under the Act.
9. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, data. 
10.  Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

GDPR Principles

The GDPR is based on similar concepts to those found in the DPA such as “personal data”, “data subject”, “data processor”, but there will be significantly greater importance placed on the legal basis for processing data and the rights of data subjects.

Under the GDPR, personal data must be (we have added the emphasis below):

1. Processed lawfully, fairly and in a transparent manner in relation to individuals;
2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
4. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Lawful Basis for Processing

Under the GDPR, businesses must establish a lawful basis to process personal data and document this. Lawful bases include:

1. Consent of the data subject;
2. Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract;
3. Processing is necessary for compliance with a legal obligation;
4. Processing is necessary to protect the vital interests of a data subject or another person;
5. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
6. Processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.

There are separate lawful bases for the processing of special category data and criminal offence data, which include explicit consent from the data subject and processing which is necessary for carrying out obligations under employment.

Categories of Data

Under the GDPR and Data Protection Act 2018, there are three distinct types of data:

• Personal Data
• Special Category Personal Data
• Criminal Offence Data

Personal data is any information relating to an identified or identifiable natural person.  This covers individual pieces of data (such as a name), or combinations of data (such as an email address together with a name) that enables a specific person to be identified from that data.

Special category personal data is any personal data that deals with a person’s:

• race;
• ethnic origin;
• politics;
• religion;
• trade union membership;
• genetics;
• biometrics (where used for ID purposes);
• health;
• sex life; or
• sexual orientation.

Criminal offence data is any personal data that relates to a person’s criminal history, including any arrest history, past convictions and any sentences and punishments that may have been imposed upon a person resulting from criminal behaviour.

Consent

Consent under the GDPR must be freely given, specific, informed and unambiguous. There must be a positive opt-in by the subject and consent cannot be implied from silence. Consent must also be separate from other terms and conditions and subjects must be given the ability to withdraw consent easily. Subjects will generally have more rights under the GDPR where you rely on consent to process their data.

Whilst employers are not required by the GDPR to automatically seek fresh consent for processing data about employees, employers should consider whether, if they are relying on consent as a lawful basis for processing, any consents obtained in the past are valid under the GDPR.  Mainly, employers must be absolutely confident that the consent given was given freely and on a fully informed basis.  Given that many employers include a clause in contracts of employment stating that employees consent to the processing of their data, such consents are unlikely to be legally compliant under the GDPR as it is difficult to state legitimately that the consent given was free.

Consent under the GDPR is likely to be far harder to establish as a lawful basis for processing than under the DPA, because of the requirement for consent to be “freely given”. Employers would therefore be wise to consider other grounds for processing, such as the performance of contractual obligations (i.e. the employment contract), compliance with legal obligations and/or legitimate interests.

The position regarding special category and criminal offence data is more complex. For advice on how to handle criminal record data, please see Criminal Records below and FS9.09 Criminal Records and Employment.

With regard to the processing of special category personal data, not only must the controller have a lawful basis for the processing (see above), but it must also separately demonstrate one of 10 conditions for processing the special category data.  These are:

1. Consent (note, that if the data subject has given explicit consent to the processing of their special category personal data, this acts as consent for both the lawful basis and the additional condition);
2. The processing is necessary for the purposes of carrying out the obligations of the controller in respect of employment and social security;
3. Vital interests (this is where the processing is required to protect the vital interests of the data subject, such as in a medical emergency where, for example, the passing of information relating to the person’s medical history to the emergency services is deemed sufficiently important);
4. The processing is carried out in the course of its legitimate activities, with appropriate safeguards, by a not-for-profit organisation with a political, philosophical, religious or trade union aim;
5. The data has been made public by the data subject;
6. The processing is for the purpose of establishing, exercising or defending legal claims;
7. Substantial public interest, subject to balancing the fundamental rights of the data subject;
8. To provide preventative or occupational health or social care;
9. Public interest in the area of public health; or
10. It is necessary for archiving purposes in the public interest, scientific or historical research purposes.

For employers, it is likely that only 1, 2 and 6 above will ever be used to justify the processing of an employee’s special category personal data.  Given the nature of special category personal data it is best practice to limit the amount that is collected to only that which is needed (for example, if an employee has a disability and information relating to the disability needs to be recorded to assess reasonable adjustments that have been made for that employee) and to seek consent to its collection and storage.  Whilst there is an allowance for an employer to process special category personal data in accordance with 2 above, it is incumbent on the employer to be able to demonstrate that the collection and processing of this data was absolutely necessary and not merely beneficial.

Rights of Data Subjects

Under the GDPR, data subjects have the right to:

1. Be informed about processing;
2. Access data held about them;
3. Request rectification of data;
4. Request erasure of data;
5. Restrict processing;
6. Data portability;
7. Object to processing (if consent was being relied upon for processing, or on grounds related to an employee’s “particular situation” if “legitimate interests” were being relied upon); and
8. Not be subjected to a decision as a result of automated decision making and profiling.

Information

Employers must give applicants and employees information about:

1. The purpose of the processing and the lawful basis for the processing;
2. The identity and contact details of the controller and the data protection officer;
3. Where applicable, the legitimate interests of the controller or any third party processor;
4. The categories of personal data to be processed;
5. Any recipient or categories of recipient of the personal data;
6. Details of transfers to Non-EU countries and safeguards in place;
7. Retention of data;
8. Their rights of access to their data;
9. The right to withdraw consent at any time;
10. The right to lodge a complaint with a supervisory authority;
11.  The source of the data and whether this source is publically accessible;
12. Whether the provision of personal data is part of a statutory or contractual requirement or obligation and the possible consequences of failing to provide the personal data; and
13. The existence of automated decision making and information about how decisions are made, the significance and the consequences.

This information must be given to the data subject at the time the data is obtained in a clear, concise format. See GDPR – Data Protection Policy [P32.01] for further information.

Access

See GDPR – Subject Access Request Form [TP32.01].

Under the GDPR, subjects will have the right to obtain access to their data and other information about how their data is being processed and by whom. This is similar to the current rights of data subject access under the DPA, however, there are some significant differences.

Employers will no longer be able to charge a £10 fee for processing data subject access requests (although they can charge a reasonable fee based on the administrative cost of providing the information if a request is manifestly unfounded or excessive), and they must respond without undue delay and within one month, rather than the current 40 days. It is possible to extend this by a further two months if a request is complex or numerous. Employers may also refuse to respond to a request where it is considered to be manifestly unfounded or excessive, and in particular where they are repetitive, but the employer must explain why the request has been refused and that the subject has a right to complain to the supervisory authority. See GDPR – Holding Respondent to a data subject access request [SL32.02], GDPR – Detailed response to a data subject access request [SL32.03] and GDPR – Guidance note for employees dealing with a DSAR [TP32.03].

The GDPR does not give a right to refuse to answer requests that relate to large amounts of data, but employers can consider whether there are grounds to say that the request is manifestly unfounded or excessive.

If a request is made electronically, the employer should provide the information in an electronic format. The GDPR also suggests that businesses should consider providing remote access to a secure self-service system where subjects can directly view their data.  It’s not clear to what extent this is expected but, given GDPR’s risk and resource based approach to regulation, it is likely to be applicable to very few organisations in the near future.

Objection

Employees can object to the processing of their data based on legitimate interests on grounds relating to their “particular situation”. If an employee objects, you must cease processing the data immediately unless you can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the individual, or the processing is for the establishment, exercise or defence of legal claims. The most likely reasons for an objection would be where an employee has provided their employer with details relating to their significant other, as an emergency contact, and is no longer with that person, or, where information relating to a medical condition has been provided and the employee determines that the employer no longer requires that information.

Automated Decision-making

Applicants and employees have the right not to be subject to a decision when it is based on automated processing and it produces a legal effect or similarly significant effect on the individual. If such a process applies, subjects must be able to obtain human intervention, express their point of view and challenge the decision. The right does not apply if the decision is necessary for entering into or performing a contract, is authorised by law, or is based on explicit consent.

Automated decision-making may apply in the employment context in recruitment procedures, or in the application of triggers for performance or absence management, for example. However, most employers will routinely still subject such processes to human oversight and/or offer an opportunity for employees to comment on the matter before a final decision is made. Employers would be wise to consider whether they need to introduce any further safeguards or consents (particularly in recruitment, where first stage “sifts” might occur) in order to comply with the GDPR.

Data Protection Officer

Public authorities and employers whose core activities include monitoring or large-scale processing of special category personal data must have a Data Protection Officer. This means that most businesses in the financial services, insurance or other regulated industries will need to make such an appointment. Simply processing special category data about your employees does not necessarily mean that a business must have a Data Protection Officer.

Data Protection Impact Assessments

A data protection impact assessment can help businesses to identify the most effective way to comply with the obligations of the GDPR. Businesses are required under the GDPR to undertake a DPIA where processing is taking place that is likely to result in a high risk to the rights and freedoms of individuals.

The ICO has recently published detailed guidance on DPIAs. More information can be found at:

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/data-protection-impact-assessments-dpias/

Transfers of data outside the EU

Personal data can only be transferred outside of the EU where the recipient country has adequate safeguards in place. This may be determined by the European Commission, or where the individual organisation has provided adequate safeguards, such as binding corporate rules, standard data protection clauses in the form adopted by the Commission, etc. If you utilise outsourced payroll providers, for example, you must ensure they handle the personal data you provide to them in a GDPR-compliant manner. With limited exceptions, the employer, as the data controller, will be liable to the data subject and the ICO for the actions of its processors if something goes wrong or a breach occurs.

Compliance

Under the GDPR, data controllers are required to demonstrate compliance with the data protection principles and therefore employers are advised to ensure that they have a comprehensive set of policies governing data protection within the organisation. See GDPR – Data Protection Policy [P32.01] and GDPR – Data Retention Policy [P32.02]. Employers will also be expected, where possible, to have systems in place to manage data within the purposes for which it is obtained and retained.

Employers often use third parties to process data relating to employees on their behalf, such as payroll providers. Under the GDPR, processors may only process data on behalf of a controller if they have documented instructions. There will be on obligation on the provider to demonstrate compliance with the GDPR and to allow the controller to inspect and audit the processor’s systems. This could make contractual negotiations with third-party providers more complex and expensive.

Medical Information

Many employers currently ask employees to consent to medical reports being obtained on their current medical condition in situations of frequent short-term sickness absence or long-term sickness absence. Such information will constitute special category data under the GDPR but consent will no longer be an appropriate lawful ground for processing such data given the difficulties with consent in the employment relationship. Employers should instead consider the reasons for obtaining such a report and, assuming that the employer is seeking to perform rights and obligations in connection with employment, the employer should be able to rely on Article 9(2)(b) of GDPR as the lawful base for processing, which provides that processing is “necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject”.

Rights and obligations in connection with employment in the context of medical reports could include:

• Administering sick pay;
• Determining eligibility for PHI;
• Considering the continued employment of the employee in order to comply with unfair dismissal law; and
• Considering the duty to make reasonable adjustments under the Equality Act 2010.

Employers will still need to inform employees of their rights under the Access to Medical Reports Act 1988 (see FS3-05 Medical Evidence and Access to Medical Reports).

Criminal Records

Information about an employee’s criminal convictions is personal data and cannot be processed unless there is a lawful basis for doing so. Therefore, employers will need to ensure they comply with their obligations under data protection law in respect of their obligations as data controllers.

Under GDPR, employers can only process personal data relating to criminal convictions and offences if:

1. there is a legal obligation to do so;
2. The employee consents to the processing; or
3. the processing is necessary for the purposes of legitimate interests pursued by the employer.

In all cases, the processing must be carried out by a legal authority or official authority. Employers appointing individuals to roles to which the Rehabilitation of Offenders Act 1974 (Exceptions) Order 1975 and/or the Police Act 1997 apply can therefore continue to process such information obtained via a standard or enhanced disclosure.

In contrast, there is no legal obligation for any employer to request a basic disclosure (although many may think it prudent to do so). Under the GDPR and Data Protection Act 2018, there is therefore no permission to process basic disclosures. On this basis, a blanket policy requiring all employees to undertake basic disclosures is unlikely to be GDPR compliant and is also unlikely to be viewed favourably by the ICO.

An employer may be able to argue that a request for a basic disclosure is in pursuit of a legitimate interest, namely to protect its reputation and/or to gain the confidence of the public in the reliability of its staff, given the high degree of trust required for the role and/or the sector, however, this is untested in the courts.  If an employer is looking at undertaking basic disclosures on this basis then a legitimate interest assessment must be completed to consider whether or not those legitimate interests are outweighed by the applicant’s right to privacy.  In addition, consent will still be required from the data subject to undertake this processing.  It is recommended that you take advice from your Legal Advisor before pursuing this approach.

Where checks are undertaken, the information obtained should only be retained for as long as is necessary for the purpose for which it was obtained.  As an example, if an employer is relying on legitimate interests as a lawful basis for undertaking a check, once a decision is made regarding the prospective employment i.e. whether or not to employ them, the information should be destroyed.

In addition to the above, the data controller must have in place a clear policy that details why information relating to criminal convictions and offences is collected and processed, together with how long it will be held.  This policy must be reviewed and updated regularly.  See See GDPR – Data Protection Policy [P32.01] and GDPR – Data Retention Policy [P32.02] for wording that deals with this requirement. 

Breaches

A data protection breach means a breach of security resulting in the loss, alteration, destruction, disclosure of or access to personal data. There will be a duty on employers to report certain breaches to the ICO within 72 hours of the breach, and in some cases, to the data subject affected.

The notification provisions require businesses to notify the ICO of the facts of the breach, how many people are likely to have been affected, the likely consequences of the breach and the remedial steps that the company is taking to mitigate any damage.

Businesses are required to keep a record of all data breaches (whether or not notified to the ICO) and the action that was taken.

Enforcement

The maximum penalty for non-compliance with the GDPR is €20million or 4% of an undertaking’s global turnover, whichever is higher.

Failure to notify a breach can result in a fine of up to €10million or 2% of the company’s global turnover.

How can you comply with GDPR?

• Ensure that all data subjects are provided with the information about the processing of their data in a clear and concise format. See GDPR – Data Protection Policy [P32.01], GDPR – Data Retention Policy [P32.02] and GDPR – Fair Processing Notice for Applicants [TP32.04];
• Review and amend data protection policies and contracts of employment to address the new rights and obligations. See GDPR – Holding Respondent to a data subject access request [SL32.02], GDPR – Detailed response to a data subject access request [SL32.03] and GDPR – Guidance note for employees dealing with a DSAR [TP32.03];
• Revise procedures for handling data subject access requests under the new regime. See GDPR – Holding Respondent to a data subject access request [SL32.02], GDPR – Detailed response to a data subject access request [SL32.03] and GDPR – Guidance note for employees dealing with a DSAR [TP32.03];
• Identify whether any processing constitutes automated decision-making and if so, consider whether you need to revise your procedures;
• Prepare a procedure for recognising and notifying breaches within the necessary timescales;
• Review arrangements for the retention and storage of data. See GDPR – Data Retention Policy [P32.02]; and
• Train staff on the new requirements.