General Data Protection Regulations (GDPR) - Upcoming HR Data Headache

Another interesting perspective on the effect of next year's new regulations on the data employer's hold on their employees and the reasons why: -

Any company that extrapolates data – whether it’s from their customers, partners or employees –will need to identify legal grounds for processing that data, under the incoming General Data Protection Regulation (GDPR). HR departments - which are often flagged as a high risk to the business in GDPR audits, according to Matthew Holman, Principal at EMW LAW - must consider all avenues when processing employee data.

Holman explains that “due to the sensitive nature of the data and the volume of sensitive data captured by HR teams,” and “processes that are potentially not compliant due to the use of procedural short-cuts and a lack of training,” employers must pay close attention to the various legal grounds, set out by the Information Commissioner’s Office (ICO).

Don’t rely on consent - Under the former Data Protection Directive, HR relied on employee consent as grounds as a lawful basis for processing data. But under GDPR, Holman explains that an HR department that relies on consent “is at best, not doing its job properly and, at worst, putting the business at risk of potential complaints from the affected employees and possible investigation by the ICO.”

“Gone will be the days of HR simply relying on a standard clause buried deep within an employment contract whereby the employee gives blanket consent to the processing of their personal and sensitive data,” adds Kevin Charles, Consulting Barrister at Crossland Employment Solicitors.

Holman outlines why consent under GDPR is an unacceptable form of processing: “Fundamentally, consent from employees in the context of employment data processing is rarely permissible. The ICO’s recent draft consent guidance says that, in most cases, employers should presume that consent is not ‘freely given’ by employees because the employer/employee relationship is a clear imbalance of power. The likely result is that employees will consent because they feel that they have to, not because they choose to.”

Legitimate interests - The ICO suggests that “if you are processing employee data... you should look for another basis for processing such as….'legitimate interests'.” Lisa Chittenden, Data Strategy and Compliance Director at Data Compliance Doctors, explains that this concept assumes that you (an employer) have an existing relationship with someone (an employee) whereby it is the interest of those parties to communicate. “In this circumstance, there’s a set of questions organisations can ask themselves to judge whether they can apply legitimate interest in an employment context. However, relying on legitimate interests means that you must offer an opt-out option,” she adds.

Holman believes that the lawful ground of legitimate business interests is “the trickiest of them all.” He explains: “in order to benefit from legitimate business interest processing, the HR team should consider whether they can document a good justification which will stand the test of scrutiny should the ICO wish to investigate.

“Things to consider are:

·       What sort of personal data is involved

·       How many employees are affected and

·       Whether the employees are likely to be surprised or upset about the processing if they were to find out about it.

“Things that have been captured by this ground include covert monitoring of employees to detect illegal activity (subject at all times to the ICO’s code of practice on employee monitoring,)” he says.

Alternative grounds - Instead of legitimate interests, Holman says that most processing of employee data can be done using the lawful grounds of:

·       compliance with a legal obligation, or

·       necessary for the performance of a contract.

“The lawful ground of compliance with a legal obligation will capture things such as HR data for PAYE/NI calculations: the employer is under a legal duty to do this. This could also include the use of staff data on Health and Safety at Work registers when these are obligatory for the employer,” he explains.

“The lawful ground of performance of a contract will relate to things such as payroll and perhaps to less immediate things such as processing annual leave data or data regarding contractual maternity/paternity absences.” He says that another option is the protection of the vital interests of the employee where there is a clear emergency necessitating the use of the employees’ personal data.

Charles agrees that it’s likely that HR will be able to rely on both options for processes such as payroll, but the requirements for processing of sensitive personal data - relating to race, sex, disability, age, religion/belief etc - are more onerous. “For example, HR should be able to rely on ‘performance of a right or obligation imposed by law…’ to cover the processing of employees’ health information or to comply with disability discrimination legislation,” he explains. Personal sensitive data may also be collected as part of equal opportunities monitoring, which is specifically recognised as a legal ground for processing data without explicit consent, he adds.

Where does recruitment fall into this? - “As there’s marketing involved, consent for recruitment gets a bit cloudy,” explains Chittenden. “For example, if you post adverts and a candidate comes to you, then they are declaring an interest. However, if you want to communicate to someone/headhunt them, you need to their consent first. It’s advisable to have a mechanism in place which makes it extremely clear to the consumer that they know exactly what they’re opting in to upon communications.”