Following yesterday's expert guide to the upcoming General Data Protection Regulation (GDPR) for employers, this article will discuss the rights of your employees in relation to data protection and how these will change as a result of GDPR. Employee rights Data subjects (your employees, in this context) have the following rights under the GDPR:
- The right to be informed;
- The right of access;
- The right to rectification;
- The right to erasure;
- The right to restrict processing;
- The right to data portability;
- The right to object;
- Rights in relation to automated decision making and profiling.
Those highlighted bold are those most pertinent to the HR function. The right of access – This is what we currently know as a subject access request. This gives individuals a right to request production of data held on them. Right now, a request must be complied with within 40 days (unless an exemption applies) and employers can charge the employee a €6.35 fee. Under GDPR, the rules will be different. Information will have to be provided as soon as possible and within one month at the latest, which can be extended by a further 2 months where requests are complex or numerous. If this is the case, you must inform the individual within one month of the receipt of the request and explain why the extension is necessary. Employers will not normally be able to charge a fee, however, DPC guidance states that “you can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive”. They also advise that “You may charge a reasonable fee to comply with requests for further copies of the same information. This does not mean that you can charge for all subsequent access requests. The fee must be based on the administrative cost of providing the information”. For example, this may be when the employee asks for a copy of the information to be sent to them, and another copy to be sent to their legal adviser. The following information needs to be produced:
- A description of the personal data, the purpose for which it is processed, recipients, retention period and rights of rectification, erasure, restriction, and objections
- A copy of the information comprising the data.
- Details of the source of the data.
The right of rectification – Individuals are entitled to have inaccurate data rectified without undue delay. The DPC guidance states that this should occur within 1 month, or 2 months for complex requests. If no action is to be taken, employers must explain why to the individual, informing them of their right to complain and to a judicial remedy. Employers would also need to consider, from a separate perspective, how the error occurred in the first place. The right to erasure (‘the right to be forgotten’) – This enables individuals the right to request that personal data be deleted or removed where there is no compelling reason for its continued processing. The right to erasure does not provide an absolute ‘right to be forgotten’ and can occur where for example:
- The personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
- The individual withdraws consent.
Under the DPAs, the right to erasure is limited to processing that causes unwarranted and substantial damage or distress. Under the GDPR, this threshold is not present. However, if the processing does cause damage or distress, this is likely to make the case for erasure stronger. Consent Except where a lawful basis already applies, data controllers must obtain the consent of the data subject in order to process their data. Where consent is required, it will have to be a “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. Consent will have to be obtained via free-standing notices rather than being held within an employee handbook, for example. When obtaining consent, certain pieces of information will need to be included i.e.:
- The identity of the data controller;
- What the data is processed for (some processes will require their own specific consent);
- How the data is processed;
- The right to withdraw consent at any time.
The Data Protection Commissioner is currently creating guidance to assist data controllers with how to obtain consent, however, this has not yet been finalised. New obligations on data processors and appointment of Data Protection Officers The introduction of “accountability” makes the data processor responsible for demonstrating that they comply with the GDPR principles. Businesses will need to:
- Implement measures to ensure and demonstrate compliance;
- Maintain documentation/records of processing activities;
- Where appropriate appoint a Data Protection Officer (DPO);
- Use data protection impact assessments (DPIA).
As well as the obligation to provide comprehensive, clear and transparent privacy policies, if an organisation has more than 250 employees, employers must maintain additional internal records of their processing activities. Organisations with less than 250 employees are only required to maintain records of activities related to higher risk processing, such as:
- Processing personal data that could result in a risk to the rights and freedoms of individual; or
- Processing of special categories of data or criminal convictions and offences.
What do organisations need to record?
- Name and details of your organisation (and where applicable, of other controllers, your representative, and Data Protection Officer);
- Purposes of the processing;
- Description of the categories of individuals and categories of personal data;
- Categories of recipients of personal data;
- Details of transfers to third countries including documentation of the transfer mechanism safeguards in place;
- Retention schedules;
- Description of technical and organisational security measures.
The GDPR requires organisations to appoint a Data Protection Officer (DPO) if you:
- Are a public authority or body (other than a court);
- Carry out large-scale systematic monitoring of individuals (for example, online behaviour tracking); or
- Carry out large-scale processing of special categories of data or data relating to criminal convictions and offences.
The DPO can be an existing employee whose responsibilities lend themselves to taking responsibility for GDPR compliance. Alternatively, employers may wish to recruit or contract the role out externally. GDPR does not require DPOs to have any specific qualifications to undertake the role, but it does stipulate that they have professional experience and knowledge of data protection law appropriate to the type of processing an organisation carries out. One DPO may be responsible for a group of companies. Employers who do not meet the definition of a company who requires a DPO may still choose to appoint one due to the increased focus on accountability in GDPR. A DPO must report into the highest level of management within the organisation (ie board level) and have adequate resources provided to enable them to meet their GDPR obligations. A DPO should not be dismissed or penalised for performing their tasks. If you have any questions in relation to GDPR, please contact our expert employment law advisors on the 24 Hour Advice Service on 0818 923 923