The General Data Protection Regulation (GDPR) places direct data processing obligations on employers at an EU-wide level. Under the GDPR, an employer can only process the personal data of employees under certain conditions. In all scenarios, such processing should be fair and transparent for a specified purpose and limited to the data necessary to fulfil that designated purpose. It must also be founded on one of the following six grounds, according to the Data Protection Commission:
If an employer is relying on the legitimate interest clause to pursue the data of an employee, it must be satisfied that it does not affect the fundamental rights and freedoms of the employee concerned. If the employee’s rights override the interests of the employer, then the employer cannot process their data.
Access and portability under GDPR
Employees have the right to request access to their personal data, free of charge and in an accessible format, from their employer. If an employer receives such a request then they have to:
With regard to the details surrounding the processing of employee data, such information would include the purposes of the processing, the categories of the personal data concerned and the recipients of the employee’s data.
When the processing is based on consent, or a contract of employment, the employee can ask for the personal data to be returned to them or transmitted to another employer. This is known as the right to data portability. Employers should be mindful that the right of access and the right to data portability are distinct rights and closely related. Employers should take due care to ensure that there is no confusion about which right is being exercised by their employees.
Accountability obligation under GDPR
Accountability is a common principle for employers with the principle requiring that employers put in place appropriate technical and organisational measures to ensure compliance with GDPR and, furthermore, be in a position to demonstrate a capacity to prove procedural and operational effectiveness, when requested.
In order to demonstrate compliance, employers should be able to demonstrate the following proofs:
Establishing an inventory will enable employers to amend incorrect data or track third-party disclosures, which is something they are required to do under GDPR. In order to demonstrate compliance with the relevant data protection principles, employers should consider the following six questions:
Lawful processing under GDPR
In order to process the personal data of employees, an employer must have a lawful basis to do so. The lawful grounds for employers to process personal data are set out in Article 6 of the GDPR, which include:
Transparency under GDPR
Employers that process employee personal data must provide those employees with information regarding the type of processing that is taking place and who is carrying it out.
This information must clearly state:
If an employer is relying on a legitimate interest as the legal basis for processing employee data, they must be in a position to clearly explain to the employee what that legitimate interest is. An employer must also clearly explain to its employees if and why it is transferring data outside of the European Union. If an employer is relying on consent as a legal basis for data processing, the employee must be aware as to how consent can be withdrawn. If there is a legal obligation to provide employee data, that must be explained to the employee. If an employer is processing by means of an automated decision-making mechanism, the employer must provide information about the logic underpinning the automated process and any consequences arising out of pertinent decisions derived, according to the Data Protection Commission. Employers should also be aware that an employee has the right to object to automated processing under GDPR.
Design and default under GDPR
The GDPR provides two critical concepts for employers which can help in their data project planning, namely Data Protection by Design and Data Protection by Default, principles that are enshrined under Article 25 of GDPR.
Data Protection by Design means that data privacy features and data privacy-enhancing technologies are embedded directly into the design of projects, which should be done at the earliest stage possible. Data Protection by Default means that the user service settings must be automatically data protection-friendly and only the data which is necessary for each specific purpose of the processing should be gathered.
Risk-based approach under GDPR
When an employer collects, stores or uses the personal data of their employees, the employees whose data the employer is processing may be exposed to risk. Employers which process the personal data of their employees should take steps to ensure that the data is handled legally, securely, efficiently and effectively to ensure compliance under GDPR. When carrying out a risk profile for the personal data that an employer has or processes relating to its employees, the employer should be mindful of the complexity and scale of the data processing being undertaken, the sensitivity of the data being processed and the protection required for the data that is being processed. The more complex or sensitive the data of employees being processed, the greater the expectation that certain safeguards have been put in place by the employer to ensure compliance under GDPR.
Recital 75 of GDPR outlines some of the tangible harms that an employer needs to consider when processing the data of employees including:
Breach notification under GDPR
The GDPR introduced a requirement for employers to report the personal data breaches of employees to the relevant supervisory authority where the breach presents a risk to the affected employees within 72 hours of becoming aware of the breach.
When a breach could result in a high risk to the affected employee, the employer must inform that employee without undue delay.
Data Protection Officers
Under GDPR certain employers are required to appoint a designated Data Protection Officer (DPR). Employers are also required to publish details of their DPR and provide these details to their national regulatory authority.
An employer will be required to appoint a DPR where either of the following four conditions are met:
Conclusion
The GDPR is not a seismic change from the previously implemented data protection laws, but does represent a uniform codification of those regulations. So long as employers remain mindful that they must process personal data lawfully, fairly and in a transparent manner, they will have a solid platform for building a compliant data processing and retention infrastructure.