Expand the lists below to see the breadth and depth of content available:
(Already a customer? Click here to access these documents)
The General Data Protection Regulation (GDPR) came into force throughout the EU on 25 May 2018. The aim of the GDPR is to have a common set of rules on data protection applicable across the EU. It is also intended to put data privacy higher up the agenda for businesses and to establish much tougher penalties for data breaches.
The applicability of the GDPR will not initially be affected by Brexit. The Data Protection Act 2018 has now repealed and replaced the Data Protection Act 1998 and covers some derogations from GDPR. In the longer term, as part of the Brexit process, the UK government will seek to put alternative arrangements (such as a unilateral ‘Privacy Shield’ agreement with the EU) that will allow the UK to share data with EU Member States post Brexit.
This fact sheet provides an overview of how the GDPR (which we use as a coverall term to cover GDPR and the Data Protection Act 2018) may be relevant to employment matters. It is not intended to be a comprehensive guide to an organisation’s obligations under the GDPR and you should seek specialist legal advice on this from a data protection lawyer.
Data protection in the UK before May 2018 was governed by the Data Protection Act 1998 (DPA). The DPA contained eight basic principles:
1. Personal data shall be processed fairly and lawfully and shall not be processed unless certain conditions are met in relation to personal data and additional conditions are met in relation to sensitive personal data. The conditions are:
2. Personal data shall be obtained only for one or more specified and lawful purposes and shall not be processed in any manner incompatible with that purpose or those purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, kept up to date.
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6. Personal data shall be processed in accordance with the rights of data subjects under the Act.
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, data.
8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
The GDPR is based on similar concepts to those found in the DPA such as “personal data”, “data subject”, “data processor”, but there will be significantly greater importance placed on the legal basis for processing data and the rights of data subjects.
Under the GDPR, personal data must be (we have added the emphasis below):
Under the GDPR, businesses must establish a lawful basis to process personal data and document this. Lawful bases include:
There are separate lawful bases for the processing of special category data, which include explicit consent from the data subject and processing which is necessary for carrying out obligations under employment.
Consent under the GDPR must be freely given, specific, informed and unambiguous. There must be a positive opt-in by the subject and consent cannot be implied from silence. Consent must also be separate from other terms and conditions and subjects must be given the ability to withdraw consent easily. Subjects will generally have more rights under the GDPR where you rely on consent to process their data.
Whilst employers are not required by the GDPR to automatically seek fresh consent for processing data about employees, employers should consider whether, if they are relying on consent as a lawful basis for processing, any consents obtained in the past are valid under the GDPR. Mainly, employers must be absolutely confident that the consent given was given freely and on a fully informed basis. Given that many employers include a clause in contracts of employment stating that employees consent to the processing of their data, such consents are unlikely to be legally compliant under the GDPR as it is difficult to state legitimately that the consent given was free.
Consent under the GDPR is likely to be far harder to establish as a lawful basis for processing than under the DPA, because of the requirement for consent to be “freely given”. Employers would therefore be wise to consider other grounds for processing, such as the performance of contractual obligations (i.e. the employment contract), compliance with legal obligations and/or legitimate interests.
The position regarding special category data is more complex. It is anticipated that the Data Protection Act 2018 will include the ability for employers to process sensitive personal data for the purposes of carrying out obligations or exercising rights in the field of employment.
Under the GDPR, data subjects have the right to:
Employers must give applicants and employees information about:
This information must be given to the data subject at the time the data is obtained in a clear, concise format. See GDPR – Data Protection Policy [P32.01] for further information.
See GDPR – Subject Access Request Form [TP32.01].
Under the GDPR, subjects will have the right to obtain access to their data and other information about how their data is being processed and by whom. This is similar to the current rights of data subject access under the DPA, however, there are some significant differences.
Employers will no longer be able to charge a £10 fee for processing data subject access requests (although they can charge a reasonable fee based on the administrative cost of providing the information if a request is manifestly unfounded or excessive), and they must respond without undue delay and within one month, rather than the current 40 days. It is possible to extend this by up to a further two months if a request is complex or numerous. Employers may also refuse to respond to a request where it is considered to be manifestly unfounded or excessive, and in particular where they are repetitive, but the employer must explain why the request has been refused and that the subject has a right to complain to the supervisory authority. See GDPR – Holding Respondent to a data subject access request [SL32.02], GDPR – Detailed response to a data subject access request [SL32.03] and GDPR – Guidance note for employees dealing with a DSAR [TP32.03].
The GDPR does not give a right to refuse to answer requests that relate to large amounts of data, but employers can consider whether there are grounds to say that the request is manifestly unfounded or excessive.
If a request is made electronically, the employer should provide the information in an electronic format. The GDPR also suggests that businesses should consider providing remote access to a secure self-service system where subjects can directly view their data. It’s not clear to what extent this is expected but, given GDPR’s risk and resource based approach to regulation, it is likely to be applicable to very few organisations in the near future.
Employees can object to the processing of their data based on legitimate interests on grounds relating to their “particular situation”. If an employee objects, you must cease processing the data immediately unless you can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the individual, or the processing is for the establishment, exercise or defence of legal claims. The most likely reasons for an objection would be where an employee has provided their employer with details relating to their significant other, as an emergency contact, and is no longer with that person, or, where information relating to a medical condition has been provided and the employee determines that the employer no longer requires that information.
Applicants and employees have the right not to be subject to a decision when it is based on automated processing and it produces a legal effect or similarly significant effect on the individual. If such a process applies, subjects must be able to obtain human intervention, express their point of view and challenge the decision. The right does not apply if the decision is necessary for entering into or performing a contract, is authorised by law, or is based on explicit consent.
Automated decision-making may apply in the employment context in recruitment procedures, or in the application of triggers for performance or absence management, for example. However, most employers will routinely still subject such processes to human oversight and/or offer an opportunity for employees to comment on the matter before a final decision is made. Employers would be wise to consider whether they need to introduce any further safeguards or consents (particularly in recruitment, where first stage “sifts” might occur) in order to comply with the GDPR.
Public authorities and employers whose core activities include monitoring or large-scale processing of special category personal data must have a Data Protection Officer. This means that most businesses in the financial services, insurance or other regulated industries will need to make such an appointment. Simply processing special category data about your employees does not necessarily mean that a business must have a Data Protection Officer.
A data protection impact assessment can help businesses to identify the most effective way to comply with the obligations of the GDPR. Businesses are required under the GDPR to undertake a DPIA where processing is taking place that is likely to result in a high risk to the rights and freedoms of individuals.
The ICO has recently published detailed guidance on DPIAs. More information can be found at:
Personal data can only be transferred outside of the EU where the recipient country has adequate safeguards in place. This may be determined by the European Commission, or where the individual organisation has provided adequate safeguards, such as binding corporate rules, standard data protection clauses in the form adopted by the Commission, etc. If you utilise outsourced payroll providers, for example, you must ensure they handle the personal data you provide to them in a GDPR-compliant manner. With limited exceptions, the employer, as the data controller, will be liable to the data subject and the ICO for the actions of its processors if something goes wrong or a breach occurs.
Under the GDPR, data controllers are required to demonstrate compliance with the data protection principles and therefore employers are advised to ensure that they have a comprehensive set of policies governing data protection within the organisation. See GDPR – Data Protection Policy [P32.01] and GDPR – Data Retention Policy [P32.02]. Employers will also be expected, where possible, to have systems in place to manage data within the purposes for which it is obtained and retained.
Employers often use third parties to process data relating to employees on their behalf, such as payroll providers. Under the GDPR, processors may only process data on behalf of a controller if they have documented instructions. There will be on obligation on the provider to demonstrate compliance with the GDPR and to allow the controller to inspect and audit the processor’s systems. This could make contractual negotiations with third-party providers more complex and expensive.
Many employers currently ask employees to consent to medical reports being obtained on their current medical condition in situations of frequent short-term sickness absence or long-term sickness absence. Such information will constitute special category data under the GDPR but consent will no longer be an appropriate lawful ground for processing such data given the difficulties with consent in the employment relationship. Employers should instead consider the reasons for obtaining such a report and, assuming that the employer is seeking to perform rights and obligations in connection with employment, the employer should be able to rely on Article 9(2)(b) of GDPR as the lawful base for processing, which provides that processing is “necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject”.
Rights and obligations in connection with employment in the context of medical reports could include:
Employers will still need to inform employees of their rights under the Access to Medical Reports Act 1988 (see FS3-05 Medical Evidence and Access to Medical Reports).
Employers can, under GDPR, only process personal data relating to criminal convictions and offences if there is a legal obligation to do so, and the processing is carried out by a legal authority or official authority. Employers appointing individuals to roles to which the Rehabilitation of Offenders Act 1974 (Exceptions) Order 1975 and/or the Police Act 1997 apply can therefore continue to process such information obtained via a standard or enhanced disclosure.
In contrast, there is no legal obligation for any employer to request a basic disclosure (although many may think it prudent to do so). Under the GDPR, there is therefore no permission to process basic disclosures.
The UK Government appears to intend to legislate to allow basic disclosures to be processed in certain circumstances under the Data Protection Bill 2018. Currently, this legislation is not in force. As such, it will constitute a breach of the GDPR to process basic disclosures after this date and employers could risk censure from the ICO and/or a fine.
A data protection breach means a breach of security resulting in the loss, alteration, destruction, disclosure of or access to personal data. There will be a duty on employers to report certain breaches to the ICO within 72 hours of the breach, and in some cases, to the data subject affected.
The notification provisions require businesses to notify the ICO of the facts of the breach, how many people are likely to have been affected, the likely consequences of the breach and the remedial steps that the company is taking to mitigate any damage.
Businesses are required to keep a record of all data breaches (whether or not notified to the ICO) and the action that was taken.
The maximum penalty for non-compliance with the GDPR is €20million or 4% of an undertaking’s global turnover, whichever is higher.
Failure to notify a breach can result in a fine of up to €10million or 2% of the company’s global turnover.
This document has been created by, or on behalf of ESP Ltd, as a general document and as a guide in relation to its subject matter and has not been bespoke drafted for you or the specific circumstances in which you are looking to use it. Prior to using this document and undertaking any HR process you must consult your organisation’s own policies and procedures to ensure that you do not do anything in conflict with your own policies and procedures. If in any doubt as to how to use this document or, if you require any legal advice, please feel free to contact ESP Ltd on 0333 006 2929 and our legal team will be more than happy to assist. ESP Ltd will not be liable in any way for any actions undertaken by you or your use of this document unless we have been consulted regarding your use of this document as legal advisor to your business or have bespoke drafted any documentation in response to a specific support request.