With just weeks to go until the European General Data Protection Regulation (GDPR) comes in to force, we revisit 5 of the most frequently asked employment law questions regarding GDPR that employers have asked us in the last few weeks.
Frequently Asked Employment Law Questions Regarding GDPR
1. Should I be registering with the Information Commissioner’s Office (ICO), and if so what is the cost?
The GDPR requires businesses, and other organisations who are acting as a data controller, to pay a data protection fee, unless they are exempt.
There are three different tiers of fees, and data controllers (businesses) are expected to pay between £40 and £2,900. The fee will depend on your organisation’s turnover and, in some cases, the type of organisation you are. The data protection fee will be due every 12 months.
If you are processing personal data relating to your staff and do not pay the data protection fee or fail to notify the ICO that that you no longer need to pay it in the event you are exempt, then you are breaking the law and may be issued with a fine of up to £4,350.
2. What on earth is a DPO? Do we need one?
A Data Protection Officer (DPO) is a role intended to assist you to monitor internal compliance, inform and advise on your data protection obligations and act as a contact point for data subjects and the supervisory authority.
DPO’s must be appointed in the case of:
- Public authorities;
- Organisations that engage in large scale systematic monitoring; or
- Organisations that engage in large scale processing of sensitive personal data.
If your organisation doesn’t fall into one of these categories, then you do not need to appoint a DPO. However, you can elect to appoint one and we would recommend in any event that you have a designated person/team within the organisation, who is responsible for these matters, and to whom employees can refer their queries.
3. What about ‘Brexit’? – I represent a data controller in the UK and want to know if I should still continue with GDPR planning and preparation?
If you process data about individuals in the context of selling goods or services to citizens in other EU countries then you will need to comply with the GDPR, irrespective as to whether or not you the UK retains the GDPR post-Brexit. If your activities are limited to the UK, then the position (after the initial exit period) is much less clear. The UK Government has indicated it will implement an equivalent or alternative legal mechanisms.
Our expectation is that any such legislation will largely follow the GDPR, given the support previously provided to the GDPR by the ICO and UK Government, as an effective privacy standard, together with the fact that the GDPR provides a clear baseline against which UK businesses can seek continued access to the EU digital market.
4. We have employment consent for data processing in our existing employment contracts, do we need to review these?
In short, yes. Whilst consent will remain one of the lawful grounds for processing employee data, there are others which will be more useful in an employment context. Consent will not always be the easiest or most appropriate in view of the fact that:
- Employees will have the right to withdraw their consent at any time; and
- There is arguably a question mark over whether employees actually have genuine freedom to withhold consent in a situation where balance of power in an employment relationship typically lies with the employer.
Consider relying on the some of the other legal grounds for processing data, such as:
- Necessary for performance of a contract
- To comply with a legal obligation
- Legitimate interests
Your employment contracts and any existing data protection policies will need to be reviewed and updated to ensure that they adequately notify staff of their data subject rights and are compliant with the new rules.
5. I understand that data security is a big thing but we have lots of homeworkers, who take laptops and documents home – will this be banned?
No. GDPR should not change the way that you conduct business, but you have to review your existing practices and carry out a risk assessment to ensure that you are protecting the data that you process, as best you can in the circumstances.
It is important that employees are trained on GDPR and instructed on what you will, and will not, permit in terms of data handling outside of the workplace. You want to avoid your business being responsible for a data breach and incurring substantial fines. To that end, consider what security measures you have in place and where perhaps things need to be improved.
As a minimum, physical documentation should be stored safely and securely. Cabinets and cupboards that lock are recommended. Computers and remote working devices should be password protected and confidential documents encrypted, so that if they fall in to the wrong hands, then the data cannot be accessed by an unauthorised person. Be sensible about it – the GDPR does not state that you have to buy all of your staff a bomb proof safe, but you should provide your staff with sensible guidance on how best to protect the data that they handle to avoid a breach.
How Can Nelsons Help?
If you are yet to start your preparation for GDPR or are feeling overwhelmed or lost, Nelsons can help you. Our services include:
- Full data protection audits
- Assistance with privacy policies which need to be provided to all data subjects before you process their data
- Privacy notices for job applicants setting out how you will process their data
- Data Protection policies for staff and suggested amendments to other policies
- Reporting data breaches policy
- Awareness training for all staff or high level training for senior management and/or your HR department
- Assistance on issues around GDPR concerning your suppliers, customers, targets, employees and job applicants
- Advice on data subject rights – access requests, requests for data to be rectified or erased
Our team can provide expertise and guidance on any queries around the changes you need to implement in order to comply. For further information, please contact our employment law specialists on 0800 024 1976 or contact us via our online form.