As you prepare for the implementation of GDPR, there are a number of practical measures to consider when it comes to processing employee data.
Most accountancy firms collect and process personal data relating to their employees on an ongoing basis as part of their everyday personnel administration. Personal data processed by your firm could be anything from salary details for administering payroll to sick notes presented by employees regarding absence. As a result, most accountancy firms will be affected by the EU General Data Protection Regulation (GDPR), which will regulate the processing of personal data when it becomes directly applicable from 25 May 2018. With four months to go before GDPR applies to your firm, this article focuses on what GDPR is and some practical measures you should consider in terms of processing employee data.
What is GDPR?
Over the past two years, we have noticed many organisations struggle to assess where they should start in terms of preparing for GDPR. It is helpful to remember that we have had data protection legislation in Ireland since 1988 and therefore, firms who have taken data protection compliance seriously are already in good shape for meeting GDPR’s increased compliance standards.
GDPR builds upon, and enhances, many of the existing data protection requirements and principles under current Irish data protection legislation. Rather than fear it, GDPR should be viewed as an opportunity to re-visit your firm’s level of data protection compliance.
From 25 May 2018, GDPR will replace the 1995 Data Protection Directive, which is the EU legislation on which the main Irish data protection legislation, the Data Protection Acts 1988 and 2003 (as amended) (DPA), is based. There will also be Irish implementing national legislation to give further effect to, and provide for exemptions from, GDPR. In Ireland, the Department of Justice and Equality published the General Scheme of the Data Protection Bill 2017 in May 2017 (General Scheme). The General Scheme essentially sets out the heads that are proposed to be included in the Irish implementing legislation when it is enacted. As a general comment, the General Scheme is very much in draft form and is lacking in detail. Therefore, publication of the draft Bill is anxiously awaited. At the time of writing, it is not yet known when a draft Bill will be published but it may be released before publication of this article.
“Consent” in employment contracts
As with the current DPA, in order to process an employee’s personal data your firm needs a legal basis to do so. Many of the legal bases that employers currently rely upon to process employee personal data will continue to exist under GDPR. The most relevant legal bases to employers, both under the DPA and GDPR, are as follows:
- The employee has given their consent to the processing;
- Processing is necessary for the performance of a contract to which the employee is a party to;
- Processing is necessary in order to take steps at the request of the employee prior to entering into a contract;
- Compliance with a legal obligation;
- Processing is necessary to comply with the employee’s vital interests; and
- For the purposes of the legitimate interests of the firm.
In practice, we find that many employers tend to rely upon the first legal basis mentioned above for data processing, namely consent, which is usually procured in the employment contract. For consent to be valid, it must, among other things, be “freely given”. This raises concerns in an employment context as it is questionable whether an employee’s consent is freely given on the basis of the imbalance of power between employer and employee. The Irish Office of the Data Protection Commissioner (ODPC) has also raised this concern in the context of the existing DPA. The Article 29 Working Party, which is the representative group of EU data protection authorities, recently commented in non-binding guidance that an employee is rarely in a position to give free consent.
Significantly for employers, consent can also be retracted by employees at any time and it must be as easy to withdraw consent as it is to give it. Operationally, firms will need to have the resources in place to facilitate an employee retracting their consent.
Another point to bear in mind when relying upon consent is that certain data subject rights can only be exercised where consent is the legal basis – for example, the right to data portability and the so-called “right to be forgotten”.
Based on the concerns with relying upon consent, now is the time to consider whether alternative legal bases could be relied upon by your firm for certain processing of personal data. For example, processing an employee’s details as part of payroll could instead be based upon the legal basis of performance of a contract with the employee.
There may, however, be situations where consent is the only appropriate legal basis to rely upon. Such a situation may arise, for example, in the context of processing an employee’s medical information where such processing is not required by employment law. Where it is necessary to rely upon consent as a legal basis, consent should be procured through a declaration or other document separate to the employment contract, which is not intrinsically linked to the employee’s acceptance of their employment with the firm.
Data subject rights
GDPR introduces new data subject rights and also modifies some of the existing rights under the DPA. A modified right, which many firms may be familiar with, is the data subject access right (SAR). This essentially gives an individual the right to receive a copy of his or her personal data which a data controller (e.g. an employer) holds. In practice, we find that SARs are being made more frequently by employees, particularly as an alternative to discovery in litigation or as a fishing exercise prior to making an employment claim against the employer.
SARs as they currently exist can be onerous for an employer to comply with and GDPR will not make them any easier from an employer’s perspective. The current tight time-frame to respond to a SAR of “as soon as may be” but not longer than 40 calendar days will shorten under GDPR to a response being required “without undue delay” and in any event within one month of receiving a valid access request. Currently under the DPA, employers are entitled to charge an administrative access fee of €6.35 for processing a SAR, which will be abolished by GDPR unless the employer can demonstrate that the cost will be excessive.
The shorter time-frame for responding to a SAR means that firms will need to ensure that they have the policies and procedures in place to comply with a SAR received and that they have sufficient staff and resources. However, if a request is complex or a number of requests are made, then the time-frame can be extended by a further two months where necessary. The data subject must be informed of the extension, and the reasons for it, within one month of the employer having received the SAR.
Accountability is a core principle of GDPR. It requires that firms not only comply with GDPR by implementing appropriate technical and organisational measures and appropriate data protection policies, they must also be able to demonstrate their compliance. The current Data Protection Commissioner, Helen Dixon, has noted that this is not just a pen-pushing exercise. You therefore need to be able to meaningfully demonstrate compliance. As such, this will involve more than simply having data protection policies and processing registers in place that comply with GDPR. Your firm will also need to be able to show that it has implemented such policies through staff training and regular checks and testing, for example.
Information to be provided to employees
- The firm’s name and contact details and the name and contact details of your data protection officer (where one has been appointed);
- The purpose(s) of the processing as well as the legal bases for processing;
- Where the legal basis for processing is based on the firm’s legitimate interests, those legitimate interests should be identified;
- The recipients or categories of recipients of personal data;
- That the firm intends to transfer personal data to a third country and the legal basis for the transfer;
- The retention period for personal data and the criteria used to determine this;
- How employees (or job candidates) can exercise their right of access, rectification, erasure, restriction to processing, objection to processing and data portability, if such rights apply to the employee (or job candidate);
- How employees (or job candidates) can retract their consent to processing, where the processing by the firm is based on consent;
- The right to submit a complaint to the relevant Data Protection Supervisory Authority;
- Whether the employee (or job candidate) is required to provide their personal data pursuant to statute or a contract, and the consequences of failing to provide such data; and
- The existence of automated decision-making, including profiling, and the logic and consequences of the processing for the employee (or job candidate).
It is important to review existing notices and policies given to employees and job candidates in order to check that they include the above information.
Data Protection Officer
An important change being introduced by GDPR is the requirement for certain data controllers and processors to appoint a data protection officer (DPO). The DPO will be responsible for overseeing the organisation’s compliance with data protection. The DPO is not, however, a new concept. While this will be the first time in Ireland that this role has been codified, many organisations may already have an individual responsible for data protection compliance and DPOs are in fact required in Germany. What is new under GDPR is the fact that a DPO must, under statute, be appointed for the following controller and processor organisations:
- Public authorities or bodies (except for courts acting in a judicial capacity);
- Data controllers and processors whose core activities consist of processing, “which require regular and systematic monitoring of data subjects on a large scale”; and
- Data controllers and processors engaged in large-scale processing of sensitive personal data or personal data relating to criminal convictions and offences.
The Article 29 Working Party, in guidance, recommends that controllers and processors document their internal analysis conducted to decide whether a DPO is required. An important point that the Article 29 Working Party have also highlighted is that, while organisations are free to voluntarily appoint a DPO and the Article 29 Working Party encourages this, if an organisation does so, a voluntarily-appointed DPO is under the same obligations as a mandatorily-appointed DPO.
With the above in mind, firms that already have an individual whose day-to-day work is largely the same as a DPO may want to consider the increased responsibility of the role; the fact that the DPO reports to the highest management level; that the DPO function must be adequately resourced; and further, that a DPO is expected to have expert knowledge of data protection law. Significantly, it is a form of protected employment as the DPO cannot be dismissed or penalised for fulfilling their tasks within the firm. This role needs to be carefully considered before making an appointment.
Peter Bolger is the Head of Intellectual Property, Technology and Privacy at LK Shields.
This article was originally published in the February 2018 of Accountancy Ireland.