Employment Documentation and the GDPRPosted in : Back to Basics on 27 February 2018
Gareth Walls, Partner and Head of the Employment and Incentives Team at A&L Goodbody in Northern Ireland, considers central aspects of the GDPR that all HR practitioners need to understand as we move closer to the deadline on the 25th May 2018. The GDPR imposes strict obligations on employers with regards the controlling and processing of data.
Gareth offers pragmatic advice on how best to comply with the regulation, discussing various aspects of the legislation, namely the significance of conducting a data audit, the appointment of a Data Protection Officer, the hefty fines dominating headlines and how to respond to a subject access request. Gareth stresses the importance of having a good understanding of your obligations under the legislation, the need to update contracts of employment, policies and procedures and the requirement to train all staff, particularly middle and senior-level management from the outset.
Note: Legal-Island is running a Data Protection Update: Ensuring Your HR Department is GDPR-Compliant conference at the Hilton Hotel, Belfast on Wednesday 14th March 2018. Limited places remaining - book now.
Today I'm going to talk about the GDPR - the General Data Protection Regulations. We hear an awful lot about those. And actually, there will be seminars for fun on GDPR over the next few months as we move closer to May 2018. So, I'm not going to cover absolutely everything about GDPR. It's more or less the basics that I want to consider. And these are the basics that all HR practitioners need to understand as we move closer to May 2018.
So, the GDPR will harmonize the EU approach to data processing in Northern Ireland and GB, and regardless of Brexit, GDPR is here to stay. So it is something that we absolutely need to be aware of and it is something that we need to be prepared for. It's going to entirely replace the Data Protection Act 1998, and that is a piece of legislation which practitioners in UK, GB and NI were very familiar with. It brought with it a number of new instances of how to deal with data processing, and certain solicitors will have jumped on the DPA and used and abused that, I think, in relation to access of personal information and sensitive personal data. GDPR will go some way to remedy that but it will also bring in a number of other obligations on employers which we need to consider, and that's really what we're going to talk to today.
So we do know it's coming into force in May 2018. That is a hard and fast entry date, so the countdown for that is already ticking, and there's going to be no departure from that. There's going to be no special status for Northern Ireland within that, so everybody needs to be fully compliant and aware by that date. It will bring with it the capacity for significant fines but I should stress it's not all about fines. Generally, that's the downside to most of the seminars and most of the advertising that you will see about it, it's all about the fines and negativity. There's an awful lot more to it than that. Obviously, we want to avoid the fines, but to understand how best to do that, we need to go through some very pragmatic basics.
And the first of those, I think, which all employers should do is an audit. In many ways, it's a bit like English comprehension. It's who, what, why, when, where. We need to do that not as a download from the internet which is applied to all and any businesses, we need to do that as a bespoke employer in a particular industry, in a particular context in Northern Ireland. And we'll see as we talk through some of the issues as to why that's so important. But without going too crazy about the English comprehension, it really is about what you hold, who you hold it about, how do you hold it... and hold it, I mean sensitive, personal data, etc... where is the information held, and importantly for the purpose of the audit and for GDPR, when do you amend that information, when do you destroy it. We're going to look at the right to be forgotten in due course with GDPR, which is more well-established than ever was under the DPA. So, that's something we need to be fully aware of. And again, the what in relation to understanding the change in definitions of data, data processing, data controller, which we were used to under the Data Protection Act 1998, and which are to a degree going to be augmented under the GDPR when it comes into play in May next year.
So there are other aspects to think about. Bearing in mind that there's a wealth of information out there online in terms of GDPR awareness, what we're going to able to do, etc., etc. We need to focus on that from a Northern Irish perspective as well because there’s a lot more to it in Northern Ireland that isn't necessarily engaged particularly by English-based or GB-based HR practitioners and advisers. For example, Fair Employment Treatment Order. We will still have monitoring obligations in relation to collation of information, retention of that information, provision of it to third parties, albeit the Equality Commission. Nevertheless, we will need to have our FETO policies and monitoring compliance enshrined in policy, and we will need to be able to communicate that consistently and effectively to any employee should they raise a concern.
Rehabilitation of Offenders legislation in Northern Ireland is also very much Northern Irish specific. So we need to consider what aspects of that are engaged whenever we're dealing with sensitive, personal data under the GDPR as we move towards implementation date. And again, there are the little Northern Irish nuances like Access NI, and the Protection of Children and Vulnerable Adults which illustrate that whilst the vast majority of GDPR columns and information that we're getting will work in GB as it does in Northern Ireland, nevertheless, there will be Northern Irish nuances that we need to keep on top of.
So we will also need to appoint a data protection officer. That will be a mandatory requirement. And it will not simply be sufficient to appoint someone and give them a paper title. This is an individual who will need to be trained because simply appointing someone or indeed drafting a beautiful policy with consents and employee notices, will be of absolutely no value to you should we not actually train both the data protection officer, and we give them the skills and the responsibility to actually meet their needs and to facilitate their obligations of the business. But also, we need to train all our staff, certainly the middle and senior-level management at the outset in relation to what GDPR actually means, and we need and should cascade that training down to all members of staff so they have a good understanding of obligations and what data is to be held, etc.
And then I think, actually what we're going to get into is very much a sort of a cyclical process. We'll do the audit which I've talked about. We need to do the training and the appointment of the individual. We need to apply our policies and the training in principle, and then we need to review that. That's where I think it will become a cyclical piece because once we've appointed the individuals, we need to continually review, audit, train, and apply, so as to preserve as much litigation defence that we possibly can for pure litigation pieces, and also should there ever be a breach and there's a need to inform either the Information Commissioner or whomsoever they may appoint in due course to monitor this and enforce the fines, we need to be able to illustrate compliance as best we possibly can.
Obviously, there's a significant issue in relation to data breaches under GDPR. And the big piece there is understanding what, in fact, constitutes a breach, and notification without delay. That's where the fines, I think, are going to be more significantly focused. It's where an organization has a policy, has become aware of a breach, recognizes it as a breach, which is often the hardest bit, and then fails to notify the breach. So that is something which needs to be enshrined in your policies, and that's something that, I think, we need to focus most of our training and emphasis on.
So to close then, in relation to GDPR, there’s really three or four issues that I want to focus on: the fines themselves, SARS, subject access requests, and litigation generally. And this is where HR practitioners and employers are need to going to move because we're going to move from what we were used to under the DPA and get used to the new regime under GDPR. So, yes, there is a technical fine of up to €20 million or 4% worldwide turnover, whichever is the greater. So everybody will be aware of that because that's what you're hearing day in and day out in relation to the GDPR training and awareness.
But I don't think that the thing to focus exclusively on. SARS, I think, we're going to see a lot more focus on, come May 2018, going forward. We know anecdotally that there are organizations in GB which are now being registered and employees are being trained solely to run SARS for third parties and for employees, post-May 2018. So if there is an inherent industry in that, and that is coming down the track, then we as employers and HR practitioners need to guard against that and understand the limitations of a SARS request and how best to deal with that. It's a very useful court of appeal case in that which is Durant. I'm not going to go into it now but it's worthwhile understanding and having a look at because what that does is explain how and when a SARS or subject access request should be used, and more importantly, how an employer should respond to that i.e. is this a fishing exercise, is this something that I can legitimately push back on or what are the key areas where we actually do need to comply and stay on the right side of the law.
So let's have a think about that. Don't be afraid when a SARS request lands, even if it's embodied within a solicitor's firm. Don't be too offended by that. Solicitors are very acute at knowing how to use and abuse legislation and to give it a veneer or an overlay that maybe it wasn't initially intended for. A good example of that is how the Data Protection Act was used and as I say, arguably, misused in certain circumstances to become a fishing exercise. But that is going to be replaced in any event by GDPR, so we have got to be ready for that as employers.
The fee of £10 is going to go. So, in other words, there's another way whereby the focus of the legislation is to give employees the information which is being held by them. That's totally legitimate, and we just have to make sure that we change our systems, our processes to ensure that we're GDPR compliant. That is going to mean more than just appointing a DPO and training them. It is going to mean a complete rewrite of our contracts of employment, especially if they reference the DPA 1998, because that would be obsolete legislation and will give solicitors and tribunals a platform upon which to build the picture of an employer being obsolete and ill-prepared for current legislation. And all our policies, our protocols, our procedures, our handbook, our internet, anything that references DPA 1998 will need to be updated. Anything that references data, the processing of data, subject access requests, all needs to be reconsidered in light of the legislation that's coming into play next year.
So we've got to work on that and unfortunately, no surprise, the time to do that is now. The clock is ticking. We have a lot to do to get ready for it. But hopefully, this little session will have given you a heads up as to some of the key issues to look for. And by all means, get in contact. We can assist further.
Did you know...
Legal-Island has recently finalised our new GDPR Compliance in the Workplace eLearning module. To register your interest (and receive priority access), contact Debbie Wilson: firstname.lastname@example.org.
Explore our 'Back to Basics' Series
The information in this article is provided as part of Legal-Island's Employment Law Hub. We regret we are not able to respond to requests for specific legal or HR queries and recommend that professional advice is obtained before relying on information supplied anywhere within this article.