In the next of our series of briefings on the General Data Protection Regulation (GDPR) we focus on some more of the practical impacts of GDPR on the employment relationship and what businesses can do to manage these and prepare for implementation by May 2018.
Data subject access requests
Under the GDPR, employees will have the right to much more detailed, transparent and accessible information about the processing of their data. Data subject access requests will be easier for employees. In most cases employers will not be able to charge for complying with a request and normally will have just a month to comply, rather than the current 40 days. The removal of the £10 subject access fee is a significant change from the existing rules under the Data Protection Act (DPA).
Where requests are complex a two month extension is possible, giving a total of three months to comply. Where requests are manifestly unfounded or excessive, in particular because they are repetitive, employers can either charge a reasonable fee (not capped) taking into account the administrative costs of providing the information, or refuse to respond.
Guidance will hopefully give an indication in due course of what sorts of requests could be viewed as complex, unfounded or excessive. However, the ICO is very unlikely to consider a request from an employee as complex, unfounded or excessive, even if they are asking for all their data, unless they have made a previous request recently. The ICO will expect employers to keep information in a manner which means they can locate and supply information within the initial month.
Where an employer intends to delay the response or refuses to respond to a request, the employer must write promptly to the individual within the month explaining why the request is refused or delayed. The employer must also inform them of their right to complain to the supervisory authority and to a judicial remedy.
The DPA contains various exemptions to the duty to disclose such as in relation to legal privilege but at present, the GDPR contains no such exemptions which an employer can rely on to avoid provision of the employee’s personal data. It may be that, in the UK at least, the doctrine of privilege will ‘trump’ data protection rights, but that remains to be tested.
Employers need to update procedures and plan how to handle requests within the new timescales. The GDPR introduces a new best practice recommendation that, where possible, organisations should be able to provide remote access to a secure self-service system which would provide the individual with direct access to his or her information. This will not be appropriate for all organisations, but there are some sectors where this may work well. In any event the ICO will expect employers to keep employee personal data in a manner which means that requests for access can be responded to promptly.
What this means in practice is that employers will need sophisticated policies and IT systems to manage DSARs within reasonable timeframes. In order to prepare for compliance, employers should take steps now to:
- Update procedures and plan how to handle SARs and provide any additional information within the new timescales;
- Develop template response letters to ensure that all elements of a response to a SAR under the GDPR are complied with;
- Assess the organisation’s ability to isolate data pertaining to a specific individual quickly and to provide data in compliance with the GDPR’s format obligations;
- Ensure that employees are trained to recognise and respond quickly and appropriately to SARs.
- Consider putting a ‘data subject access portal’ in place allowing an individual to access their information easily online.
Automated processing and profiling
Employees have a right under the GDPR to not be subject to a decision made solely by automated processing where that decision significantly affects them. This includes decisions based on profiling (any form of automated processing to evaluate certain personal aspects of individuals, in particular to analyse or predict indicators such as their performance at work, health, personal preferences, reliability, and behaviour).
The ICO recently published a discussion paper on profiling in which it set out its initial thoughts on where automated processing may significantly affect an employee. In their view this includes processing that:
- Limits rights or denies an opportunity;
- Affects individuals’ financial or economic status or circumstances;
- Leaves individuals open to discrimination or unfair treatment;
- Involves the analysis of the special categories of personal data or other intrusive data;
- Causes, individuals to change their behaviour in a significant way; or
- Has unlikely, unanticipated or unwanted consequences for individuals.
It is not difficult to see how these might be the outcome of automated processing of HR data. Areas where employers might currently use automated decision-making, which they should therefore review, include:
- Recruitment, including automated rejection or shortlisting;
- Performance management/triggers for sickness absence;
- Eligibility for attendance bonuses;
- Holiday or shift rostering;
- Employee monitoring; and
- Profiling, particularly where this may impact on selection for talent programmes or career progression rather than purely for development purposes.
From a practical perspective employers need to ensure that where they use automated decision making they can explain how it works and there is another way to make an equivalent assessment of the individual if he/she objects.
In our next briefing we will focus on how employers can audit existing data processing across the employment lifecycle in order to identify risk areas, and how to develop an action plan and timeline to develop and implement a GDPR compliance programme.