In this hot topics article, Deirdre Crowley writes the first in a series of articles dealing with the topical issue of the General Data Protection Regulation (GDPR) and its impact on handling employee data in the workplace. The 8 month count down is on to the implementation of the GDPR on 25 May 2018. The eye watering fines of up to a maximum of €20 million together with the possibility of exposure to a fine amounting to up to 4% of an organisation’s global profit from the previous trading year is causing businesses to implement highly sophisticated reviews of these records management systems across their businesses.
In this article, which focuses on some food for thought in respect of how the GDPR applies to HR, readers are reminded that the GDPR is a business wide issue. GDPR compliance is not an issue that falls to HR alone to consider. The appropriate handling of data in line with obligations in the GDPR is a business wide duty and responsibility.
Many HR professionals are currently tasked with the responsibility of recruiting a data protection officer (DPO) for their organisation. Those in the public sector, those that handle big data, those that have in excess of 250 employees and even small businesses that handle sensitive or special categories of data, must appoint a DPO by 25 May 2018 to demonstrate accountability and compliance with the GDPR.
In a GDPR ready series drafted by Crowley Solicitors, data management issues relevant to HR will be canvased and explored in the coming eight months.
This series on GDPR compliance for HR professionals is intended to provide you with a summary of some of the significant changes that will apply once the GDPR comes into force and the likely impact of the GDPR on businesses. We will also canvas priority action points so that HR professionals can begin taking steps to ensure compliance with the GDPR when it comes into force.
Legal basis of GDPR
The GDPR was adopted on 27 April 2016. It comes into force on 25 May 2018. It introduces substantial changes to data protection law. The GDPR will replace the Data Protection Acts 1988 – 2003 (as amended). The GDPR builds on existing data obligations and it increases the extent of compliance generally. Companies have 8 months remaining in which to make preparations for implementing the new rules. Given the extra territorial scope of the GDPR, the new concepts (such as the concept of a data protection officer, a data protection impact statement, the concept of accountability and privacy by design and default) along with the severe financial penalties for non-compliance, it is a business critical issue for organisations to address.
Consent and the Legitimate Exception
Consent – Some Key Considerations
The GDPR introduces a new landscape for relying on consent in the HR context. Similar to the EU Directive 95/46/EC (The Directive), the GDPR refers to ‘consent’ and ‘explicit consent’. For HR professionals, the difference between consent and explicit consent as prescribed by the GDPR is unclear. What is clear is that both forms of consent now require some form of clear affirmative action. It will no longer be acceptable under the GDPR for employers to justify their employee records management systems through the silent acceptance or acquiescence of employees as a means of consent to their employer holding their data.
Definition of ‘Suitable Measures’ to Safeguard Employee ‘Data’
The scheme of the draft Data Protection Bill 2017 (‘the Bill’) refers to the permitted processing of employee data as long as ‘suitable measures are in place to safeguard the fundamental rights and freedoms of the data subject’. While this provision is helpful, the Bill does not define ‘suitable measures….’. There is continuing uncertainty as to the extent to which the ‘suitable and specific safeguard’ referred to in the Bill and in Article 9 of the GDPR are intended to be additional and complimentary to data controller obligations already required. The possibility of including a ‘toolbox’ of possible safeguards as a provision in the final version of the Data Protection Bill will be explored during drafting for HR professionals to continue to observe.
Contracts of Employment
What conditions must exist in employment contracts and staff manuals in order to procure a valid consent in line with the GDPR obligations? Ticking a box, acquiescence or silence do not constitute valid consent. The burden of proof will be on an employer to demonstrate that valid consent has been obtained from an employee on an informed basis.
We are recommending to all clients to require clear affirmative action by an employee through clauses in contracts of employment to confirm their awareness of the type of data that their employer holds in relation to them and further to confirm by way of clear affirmative action by the employee, their acceptance and consent to their employer handling that data on their behalf. In certain cases where employers hold sensitive or special categories of data in respect of an employee, we recommend that the consent is separate and clear from the rest of the contractual document. This separate consent
document can be completed by way of an appendix signed and dated by both parties and attached to the contract of employment.
The GDPR contains a list of conditions for valid consent including:
- Consent must be verifiable (that is some form of record must be kept of how and when consent was given (Article 7 (1))
- Where consent is given in a written declaration which also concerns other matters, for example in a contract of employment, the request for consent must be clearly distinguishable from the other matters (Article 7 (2))
- Prior to giving consent, employees must be informed of their right to withdraw consent at any time and it must be easy for them to do so (ie: allowing consent to be withdrawn in the same media in which it was obtained, such as withdrawal via email (Article 7 (3))
- When assessing if consent has been freely given ‘utmost account’ must be taken of the fact that the performance of a contract of employment is conditional on consent to the processing of personal data that is not necessary for the performance of the contract. Employers are warned that consent in these circumstances is unlikely to be considered to be freely given in line with article 7 subsection 4 of the GDPR.
The Recitals to the GDPR highlight that the declaration of consent pre formulated by the employer (controller) should not contain unfair terms. Consent will not be regarded as freely given if the employee has no genuine or free choice or cannot refuse or withdraw consent without detriment (Recital 42).
Unhelpfully, the GDPR does not specify what action in the employment context constitutes explicit consent, however it does require explicit consent for the processing of sensitive data such as, for example, any personal identifying information, biometric information or medical information (Article 9 (2) (a)). A key exercise in all HR professionals’ approach to the GDPR is to classify and define all data held on behalf of employees. This definition will form the basis of all records management. When the next stage of the Bill is finalised, the extent to which employers must procure explicit consent from employees to handle their personal and sensitive personal data ought to become clearer.
Withdrawal of Consent
Such is the ease with which employees can withdraw consent to their data being processed that one has to question whether the GDPR effectively limits consent to what is essential for the performance of the contract of employment. In our view, it would be difficult for an employee to use the GDPR as a legitimate reason to undermine the duties and obligations placed on them in a contract of employment by withdrawing consent to their employer holding certain data in relation to them. This area has yet to be explored however and it is issues such as the employee’s potential right to limit the performance of contracts that we foresee being legitimate issues of discussion and litigation in the future.
Consent has become more difficult to rely on to legitimise the processing of personal data in the employment context. The blurring of the distinction between consent and explicit consent in the GDPR does not help. The right of employees to withdraw their consent at any time is required to be addressed through careful drafting in contracts of employment. Employers will need to be explicit and clear in relation to any further processing of employee data that takes place. For example, in the event that an employer uses a payroll company or a third party benefits company to process employee data, the employee must be made aware of this further processing of their personal data and they must explicitly consent to their data being used in this way.
Right to Non Pecuniary Loss
There is a new powerful right in the GDPR for employees to seek to recover compensation for non pecuniary loss such as distress. In the event that an employer experiences a data breach which results in the personal or sensitive personal data of an employee being compromised, the employee under the GDPR now has a direct right of recovery against an employer. This is a 360 degree turnaround to the position in Irish Law as it previously existed [Collins v FBD Insurance PLC, High Court, 14 March 2013].
Possibility of Class Actions
It remains to be seen whether Article 80 of the GDPR opens up the possibility or not for not for profit organisations such as trade unions to take class actions on behalf of employees who experience breaches of rights under the GDPR. Class actions are unusual in the employment context, however, it remains to be seen whether the GDPR now opens the door to employees seeking compensation through the Data Protection Commissioner and in turn through the Courts.
In line with the GDPR, employers will have to explain the legal basis for processing employee data in their contracts of employment, potentially in their privacy notices and when they respond to a data subject access request from an employee.
The difference between what constitutes consent and explicit consent in the employment context is not clear and we await further guidance on this issue. However, it is evident that there will need to be a positive indication of consent to personal data being processed required. A logical place to put this clear consent is in the contract of employment. Consent cannot be inferred from silence, pre ticked boxes or inactivity. As the GDPR requires employers to be able to demonstrate consent has been freely given, procedures must be in place for recording consent. Employers should also be aware that employees will have a stronger right to having their data erased where consent is relied on as the legal basis for processing.
Actions Points for HR Professionals
- HR professionals to review the types of data processing that are carried out in respect of employees and be clear about the legal basis for carrying out such processing and document it.
- HR professionals to review how consent is being obtained and recorded and whether any changes are needed. If consent is given it should be capable of being
easily withdrawn by the employee. Records of actual consent given by the employee should be maintained and shared with the employee, ideally in a contract of employment or an appendix to a contract of employment.
- If relying on the exception of ‘legitimate interest’ to justify processing employee data, such as for example situations where an employer will say that it is in their business’ legitimate interests to process a particular classification of data in respect of an employee, a record of the assessment made in relation to the balance of interests of the employer and the employee should be documented and included in the appropriate policy supplied to employees.
This briefing is for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.