The countdown to the replacement of the current Data Protection Act with the General Data Protection Regulation (“GDPR”) is now in full swing and the GDPR will become law with effect from 25 May 2018.
Early indications are that there is a lack of awareness, particularly within the SME community, of the sea change in not just structure but also attitudes that will be required to become GDPR compliant. At the very least, by now Company’s should have made the preparations for GDPR a Board level agenda item and identified a project team or project leader to evaluate the process and administrative changes that are necessary to become GDPR compliant. The responsible individuals should then create a timetable leading up to 25 May 2018 with checklists and milestones identified and agreed.
Although it is not mandatory to have in place a Data Protection Officer (“DPO”) unless you are a public authority or a Company involved in the large scale monitoring of individuals, it is certainly good practice. In short the role of the DPO is:
· to act as advisor to the organisation about its obligation to comply with the requirements of the GDPR and to provide information to its employees;
· to monitor and manage internal data processing activities to ensure compliance with the GDPR, train employees, conduct internal audits and provide guidance on impact assessments associated with data processing;
· Be the point of contact for the Information Commissioners Office (“ICO”), which is the supervising authority for the UK.
A note of caution, compliance with the GDPR is not the responsibility of any one individual but requires top down support and the awareness and engagement of Department heads, managers and individuals as to their roles and responsibilities.
Set out below are two examples of how the GDPR will change the existing law.
1. SUBJECT ACCESS REQUESTS UNDER THE GDPR
The data subject access right in the GDPR makes some changes to the rules on responding to a data subject access request.
Data subjects will continue to have the right under the GDPR to access personal data concerning them and to obtain information about it, including the purposes for which it is being processed, the categories of personal data concerned and any recipients of the data. Under the GDPR, the employer will have to inform the data subjects:
· of any recipients of the data in countries outside the European Economic Area and the safeguards applied on a third country transfer of data;
· the envisaged retention period for the data, or the criteria used to determine that period; and
· the data subject’s rights to request rectification or erasure of the data, to request the restriction of processing and to object to processing.
Employers, and other data controllers, will have to respond to a data subject access request ‘without undue delay’ and within one month at the latest. This can be extended by two further months where necessary, taking into account the complexity and number of requests. Under the current rules, data controllers have 40 days to respond to a request.
Data controllers will no longer be able to charge a fee for providing information in response to a data subject access request, unless the request is ‘manifestly unfounded or excessive,’ in particular because it is repetitive.
If an employer receives a request that is manifestly unfounded or excessive, it will be able to charge a reasonable fee taking into account the administrative costs of responding to the request. Alternatively, it will be able to refuse to act on the request.
Where the data subject makes a request by electronic means, the information will need to be provided by electronic means where possible, unless the data subject requests otherwise.
2. RECRUITMENT DATA UNDER THE GDPR
The GDPR amongst other things, contains provisions relating to the collection of personal data about job applicants during a recruitment process.
The new rules will apply to data obtained from the applicant or from a third party such as a recruitment agency.
Prospective employers will need to provide applicants with an information notice. This notice will need to contain certain information, including the purposes for which the data will be processed, the legal basis for processing and the period for which the data will be retained.
Employers will be able to provide the information notice on their website, and send a link or copy of the notice in correspondence to individual applicants. Where the employer advertises a post on a website owned by a third-party, it should ensure that the details of the vacancy include a link to the information notice.
Employers should retain only the minimum data required and only keep it until the relevant limitation periods for bringing potential tribunal claims have expired.
Employers who intend to keep the details of unsuccessful candidates on file for future recruitment rounds must obtain the candidates’ consent to this. Employers who keep unsolicited CVs on file for future recruitment rounds, will need to inform candidates of this in the information notice.
Job applicants will have the right not to be subject to a decision based solely on automated processing. Employers will only be able to use automated decision making if it is:
· necessary for entering or performing a contract;
· authorised by law; or
· with the applicant’s explicit consent.
Employers who use automated decision making will need to advise applicants of this in the information notice. They will also have to provide safeguards for applicants by allowing them to contest the automated decision and by giving them the right to an alternative means of making the decision using human intervention.
Employers who use recruitment agencies should satisfy themselves that the agency will implement appropriate technical and organisational measures to ensure the protection of the rights of the data subjects.
For further information and support with your GDPR compliance preparations contact FG Solicitors on 01604 871143 where a member of the team will be happy to assist.
The team at FG Solicitors are experienced data protection experts and we can help you with tailored best-practice HR and Legal audit solutions, beginning with evaluating your current data protection framework enabling you to confidently establish a GDPR compliance roadmap.
We will work with you to identify remedial action tailored to your method of operation thus ensuring a best-fit data compliance framework. Regardless of the size of your organisation, we can tailor our GDPR support services to your specific needs. AUDIT! REMEDIATION! IMPLEMENTATION! TRAINING!
Contact us for a no obligation informal discussion. www.fgsolicitors.co.uk
Book now for the GDPR Seminar
On Thursday 22nd February 2018, FG Solicitors will be giving businesses a chance to gain a better understanding about GDPR; a UK data protection law that will affect every business.
FG Solicitors, in line with its continuing dedicated support to employers, will be hosting a series of seminars to be held between now and the 25 May 2018 designed to support employers in ensuring that they are prepared for the significant changes that the GDPR will bring.
UK Data protection law will fundamentally change on 25th May 2018 when the current Data Protection Act 1998 is replaced by the General Data Protection Regulations (GDPR).
Now this is YOUR chance to find out what impact it will have on you as an employer and on your business.
So what can you expect at the seminar?
The seminar will focus on the application of the GDPR to employers and what they should be doing now to prepare, and in particular will cover:
Key differences between the current and new data protection regimes;
The extended rights of data subjects under GDPR;
New requirements including Privacy Impact Assessments and Privacy by Design;
The now critical role of the Data Protection Officer;
The new enforcement and €20M penalties regime under GDPR; and
The requirement that the Data Protection Officer act as the contact point for the supervisory authority on issues related to the processing of personal data.
Floyd Graham, Principal and Founder of FG Solicitors will be the speaker of the seminar. Floyd is a dedicated employment solicitor who has practised in this area of law for over two decades providing commercially sound expertise and guidance to Employers. Floyd is considered a thinker and leading light in the employment law sphere and is a regular speaker and highly regarded commentator on the intricacies of the employer/employee relationship with a devout following.
THE CURRENT LAW
The law as it currently stands provides that a woman is entitled to take up to 52 weeks Maternity Leave and to receive up to 39 weeks Maternity Pay, set at a minimum level by the Government each year. Some employers choose to enhance this pay in accordance with internal policies.
Since 2015, fathers are only entitled to 2 weeks Paternity Leave, but can opt to share the Maternity Leave and Maternity Pay with a child’s mother under the Shared Parental Leave (“ShPL”) Scheme.
The question for employers, and specifically that raised by Mr. Ali in this case is this…should an employer who has an internal policy of paying enhanced Maternity Pay to female employees, pay this enhanced rate of pay to a father who takes ShPL, or should the father simply be paid the statutory minimum level of pay under the Shared Parental Pay (“ShPP”) scheme?
In this specific case, female employees employed by Capita Customer Management (“Capita”) who had transferred into the business via TUPE, were entitled to Maternity Pay comprising 14 weeks’ pay at the level of their basic salary, before moving to 25 weeks’ pay at the statutory minimum level (currently £140.98 per week). Transferring male employees were entitled to 2 weeks paid Paternity Leave.
Mr Ali, took 2 weeks’ Paternity Leave immediately following the birth of his daughter, but then took the decision to request further time off work to care for his daughter. Capita advised that he was entitled to take a period of ShPL, but informed him that he would be paid ShPP only – he would not be entitled to the 14 weeks’ pay at the level of his basic salary as his partner would have been if she had decided to continue Maternity Leave.
Mr. Ali objected to this, alleging that it was open to parents to choose which one of them should be the primary caregiver, and for an employer to elect to pay a mother more than a father in respect of the necessary leave taken for this purpose was direct sex discrimination.
The Tribunal upheld Mr. Ali’s argument. It confirmed that he could compare himself to how a hypothetical female colleague who had taken Maternity Leave would have been treated, and the denial of full pay to Mr. Ali was unfavourable treatment due to his sex.
However, employers should be aware that this is only a first instance Tribunal decision and is currently being appealed.
In another recent case based on similar circumstances, the Tribunal reached a different decision (Hextall v Chief Constable of Leicestershire Police), where it was held that Maternity Leave and Maternity Pay are “special treatment” afforded to women in connection with pregnancy and childbirth, which did not go any further than “reasonably necessary” on the basis that women suffer disadvantages in work due to pregnancy and maternity, which typically detrimentally affects a mother’s finances more than a fathers.
Capita and Hextall also conflict on whether a valid comparison can be made between a mother taking Maternity Leave and parents taking ShPL. Both men and women can take ShPL, whereas only a female can take Maternity Leave. Maternity leave is also different in that women can choose to start this before their child’s birth, whereas ShPL cannot start until 2 weeks’ after birth, and it is impossible to take ShPL without both parents agreeing to this, whereas Maternity Leave can be taken as of right.
The Hextall Tribunal concluded that the correct comparator for the father in question was a woman taking ShPL, and as the woman would receive ShPP on the same terms as the man, there was no less favourable treatment and accordingly no discrimination.
The question as to which case is the correct interpretation of the law will now be left to the Appeal Tribunals. Therefore, before employers rush to change their policies, they may wish to review the business reasons behind their current family policies, whilst keeping abreast of the final decisions in these cases.
If you would like more advice about any of the issues raised in this article, please contact a member of our team on 01604 871143.
In terms of legal opinion on which others may place reliance it is often advisable to do away with the needle of innuendo and pick up the club of statement. In line with that adopted position, you are invited to consider the implications of the impending arrival of the General Data Protection Regulations (“GDPR”).
As the regulations have their origins in EU law, an immediate question is will they survive Brexit? The short answer is that even if the regulations do not survive intact post Brexit, the Government has confirmed that the UK will implement the GDPR when it comes into effect on 25 May 2018 because the UK will still be a member of the EU at that time.
The GDPR heralds the biggest shake up in privacy laws in 20 years and will have a seismic impact on the human resource data processing undertaken by employers and employment related entities.
There will be some fundamental changes to the current law and it is suggested that organisations need to be aware of those changes and should be actively developing a strategy for compliance ahead of the changes coming into effect in May 2018. This is especially because the cost for GDPR non-compliance has risen dramatically when compared to non-compliance with current data protection legislation, as the new fines will be based on a percentage of total annual turnover of a business in the previous financial year. It will become easier for individuals to claim compensation and group actions will be more likely.
THE KEY CHANGES…
As a minimum, the key changes for staff engagement purposes include:
Consent: No longer will it be sufficient to include in Contracts of Employment a blanket clause stating an employee is deemed to give consent to the lawful processing of their data. Instead, organisations will be obliged to demonstrate that consent has been explicitly given for each processing purpose of the data in question. Furthermore, the organisation will need to demonstrate the consent was freely given (potentially difficult in the master/servant relationship which is employment) and that the consent is “informed.” Also, the organisation will need to implement a mechanism for the withdrawal of such consent at any time.
Subject Access Requests: The information to which data subjects will be entitled under the GDPR is more extensive. The time for providing that information is reduced from 40 days to one month and there will be no longer be a right for organisations to charge a fee to provide this data.
Right to Erasure: Also known as “the right to be forgotten,” this is a new right where individuals can request that their personal data is permanently deleted in certain circumstances. This will cause organisations particular difficulties where personal files are held both centrally and locally (for example, by a line manager).
Right to Restriction: There are instances when organisations are obliged to restrict processing; this includes employee challenges to the accuracy of personal data. This could result in certain management processes being stalled.
Breach Notifications: Unless the breach is unlikely to result in a risk to the individuals concerned, organisations’ data processers will be obliged to notify the ICO of all data breaches without undue delay and, where feasible, within 72 hours of the breach.
DO WE NEED TO DO ANYTHING YET??
Organisations could be forgiven for thinking that, as the GDPR implementation date (25 May 2018) is still the best part of 12 months away, and with Brexit looming, the matter can be left for now. But compliance with this legislation will require a good deal of planning and remapping of existing processes. The immediate steps for any organisation include:
- A comprehensive audit of existing systems and processes;
- Deciding whether additional personnel should be recruited to take on specific roles and responsibilities;
- Designing systems that will assist with GDPR compliance (including breach notification compliance);
- Identifying appropriate training for staff – for example, general awareness training for staff with more specific training for those with greater compliance responsibilities (including the IT Department and HR managers); and
- Reviewing and upgrading current Contracts of Employment and policies to manage risk.
We can undertake your audit and assist you with preparation for GDPR implementation. For a non-obligation consultation, please call a member of our team on 01604 871143 or email us on firstname.lastname@example.org