How to Carry Out & Comply with the GDPR

Posted in : First Tuesday Q&A ROI on 6 March 2018
Bríd Nic Suibhne
A&L Goodbody

This month’s First Tuesday article is a range of questions that were submitted by audience members as part of Legal Island’s Annual Review of Employment Law conferences 2017, with a specific focus on the GDPR.

The need to understand and appreciate the strict obligations on employers with regards the storing and processing of data is now more important than ever as we move closer to the deadline on the 25th May 2018.

With potential fines of €20 million or 4% of global annual turnover employers need to review their data collection policies and consider how data security is ensured within their organisation.

This month, Bríd Nic Suibhne, Associate in A&L Goodbody’s employment law group has answered a number of GDPR-related queries, clarifying the position on consent, retention periods, data protection officers, contracts with third parties and the storage of employee data.

  1. Is consent in a contract sufficient?
  2. What about processing data in the public sector?
  3. Do we need to change contracts of employment with current employees?
  4. Does the company data retention policy supersede the statutory period outlined?
  5. When an employee leaves the organisation, how long should we retain their file?
  6. Who should we appoint as data protection officer?
  7. Do contracts with service providers need to be amended?
  8. How should we approach liability clauses in service agreements?
  9. How should employee data be stored?

Q. If consent to process data is contained in the contract of employment is that sufficient? If not and it is sought at induction is this OK? Does consent need to be updated? Should we rely on consent if it can be withdrawn?

The GDPR defines consent of a data subject to be "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her". Although consent is one of the grounds allowing an employer to process personal data, the extent to which consent can be relied on in the context of the employer/employee relationship going forward is limited due to the unequal nature of the relationship – the suggestion being that such employee consent would not be "freely given" if consent is conditional to the employment relationship itself arising.

In short, regardless of whether employee consent is included in a contract of employment or obtained from an employee at some other time, it will no longer be a reliable basis for processing employee data once the GDPR comes into effect on 25 May 2018.

Historically, it has been common practice for employment contracts to include a blanket consent provision under the heading “data protection”. Typically this will provide that the employee consents to the use and processing of his/her data (e.g. transfer of data overseas, monitoring, and sharing of information with a wide variety of partners for payroll, insurance and health-related purposes and so on). Debate over the validity of this practice from a data protection perspective, which has been ongoing for some time, has now been settled by the GDPR. The GDPR formally recognises that in the employment sphere, consent is an insufficient basis for processing personal data due to the imbalance of power between employers and employees. Furthermore, under the GDPR, employees will have a right to withdraw their consent at any time. Accordingly, employee consent can no longer be a reliable basis for processing employee data because, if consent is withdrawn by the employee, any further processing of his/her personal data by the employer will be unlawful - unless the employer can rely on a legitimate basis for processing the data.

Employers can process employee data without the consent of the employee if they have an alternative and legitimate basis for the processing. For example:

  • the performance of the employment contract (e.g. payment of salary);
  • compliance with a legal obligation to which the employer is subject (e.g. deduction of taxes);
  • to protect the vital interests of the employee (this is intended to cover urgent health or humanitarian situations e.g. sharing personal data with the police to help to protect the data subject); and
  • to protect the legitimate interests of the employer (e.g. the transmission of personal data within a group of undertakings for internal administrative purposes).

Note that an employee can object to and question the processing of his/her data, therefore, an employer must be in a position to defend itself - by demonstrating ongoing compliance with the principles of data protection.

Q. Can consent be used as a justification for processing data in the public sector?

The GDPR applies to employers in both the public and private sector therefore all employers are advised not to rely on employee consent to data processing for the reasons outlined above.

Q. Do I need to change contracts of employment with current employees which have a consent to data processing clause?

No. Contracts already in place with current employees may only be amended with the consent of each individual employee. From a best practice perspective, we recommend that employers leave existing contracts of employment in place but notify current staff that, as a result of the GDPR, employers may not rely on employee consent (as set out in their employment contracts) in the context of processing their personal data, and will issue a Privacy Notice to employees, explaining how their data is processed and why.

Q. Regarding the GDPR, does the company data retention policy supersede the statutory period outlined?

Perhaps - the key is that employee personal data should only be retained for as long as necessary. In other words, an employer must have a good reason for keeping employee data. It is not acceptable to hang on to employee data just in case it might become useful at some point in the future. A considered approach is therefore necessary.

An employer must consider how long it retains each type of employee data and be in a position to point to a legitimate basis for retaining the data for a certain period of time. In many cases, statutory retention periods will dictate how long data is kept as employers can point to their legal obligation as the basis for retaining the data. In other cases, employers may choose to retain certain types of data beyond the statutory retention period or may retain data which is not subject to a statutory retention period. If so, the employer must be able to rely on a legitimate basis for doing so, for example, it may be necessary to preserve data pertaining to a particular employee in order to defend a legal claim.

Q. There are different retention periods for different pieces of employee data. When an employee leaves the organisation, how long should we retain their file?

One of the key data protection principles is that personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes of which the data is processed (subject to certain exceptions).

There is no blanket retention period which covers all employee data. Upon termination of employment, employee data should only be retained if it is necessary to do so. An employer typically holds many different types of data about an employee, for example, a CV, contract of employment, payroll records, records of working time, performance reviews, notes pertaining to various disciplinary/grievance investigations, compromise agreement and so on. Some of this data will need to be retained, some will not. A retention policy should be in place to cover how long each type of data should be retained and why. Data which is no longer needed should not be retained.

Q. Who would be the best person in an organisation to be the data protection officer?

Only employers who (i) are a public body; or (ii) whose primary activities require regular and systematic monitoring of data subjects on a large scale or the large-scale processing of sensitive data and data relating to criminal convictions, are required to appoint a Data Protection Officer (DPO).

When selecting a DPO, remember that a DPO does not need to be an employee, but can be a contractor and can have other duties in addition to his/her duties as a DPO. The GDPR states that a DPO does not need to be legally qualified but should have expert knowledge of data protection law. Practically speaking, therefore, a DPO must have a high level of education and training and/or experience of data protection law.

Q. Do contracts with service providers, for example, third parties who look after payroll, recruitment, benefits etc. need to be amended?

Yes. Agreements with service providers will need to be GDPR compliant by the time GDPR comes into force, which means that existing agreements will most likely need to be amended and in some cases renegotiated.

The GDPR sets out a list of terms which must be imposed on a data processor (by a controller) as follows:

  • To process data on documented instructions from the controller;
  • To ensure that the processor's staff are committed to confidentiality;
  • To take all appropriate security and organisational measures;
  • To sub-contract only with the prior permission of the controller;
  • To assist the controller in complying with its data breach notification obligations;
  • To delete or return all personal data to the controller, if requested, at the end of the processing; and
  • To make available to the controller all information necessary to demonstrate compliance with its processing obligations and allow audits to be conducted by the controller.

Q. For firms who outsource their HR Function, how should they approach liability clauses, which usually limit the service provider's liability, within service agreements taking into account the new penalties and fines that data processors will be subject to under GDPR?

It is important to consider exactly what services each service provider carries out for the employer (in order to categorise the service provider as a processor or controller) the type of data they have access to, and what the employer needs to do in terms of contractual assurances/obligations to ensure that it is protected from any GDPR breach by the service provider. In some cases, it may be that the service provider (for example a recruitment agency) is itself a data controller but it is likely that in many cases the employer is the data controller and is ultimately responsible for complying with all aspects of the GDPR. Commercial negotiations are therefore recommended to introduce or strengthen warranties and indemnities contained in the agreement to ensure that the employer is sufficiently protected (against the heightened risk and consequences of a data breach by the processor).

Q. How should employee data be stored?

Employers’ obligations in relation to protecting personal data have been increased under the GDPR. Data must be protected by "appropriate technical and organisational measures" i.e. employers must have measures in place to safeguard the data they hold. It is up to each individual employer to assess risk (of unlawful or unauthorised processing and accidental loss, destruction or damage of data) and implement measures appropriate to that risk. The following measures are provided by way of example per the GDPR:

  • ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  • implement a process of regularly testing, accessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing; and
  • encryption and pseudonymisation of data.

Practically, this means implementing a reliable and resilient IT system with the requisite ability to back up and restore employee data, to protect employee data by using firewalls and anti-virus software, to limit access to only those individuals who need it by the use of passwords and access permissions etc.  Security measures should also be applied to portable media devices such as laptops, phones and USB keys. Hard copy data should be stored in cabinets which can be locked, and shredded securely when being disposed of. Users who are permitted to access employee data should receive training on security measures.

Encryption and pseudonymisation of data are not mandatory but are referred to as examples of appropriate security measures. Higher security is necessary in respect of special categories of data.

 

Back to Q&A's This article is correct at 06/03/2018
Disclaimer:

The information in this article is provided as part of Legal-Island's Employment Law Hub. We regret we are not able to respond to requests for specific legal or HR queries and recommend that professional advice is obtained before relying on information supplied anywhere within this article.

Bríd Nic Suibhne
A&L Goodbody

The main content of this article was provided by Bríd Nic Suibhne. Contact telephone number is +353 1 649 2000 or email bnicsuibhne@algoodbody.com

View all articles by Bríd Nic Suibhne