GDPR and employment – where are we now?
It has been over 18 months since the General Data Protection Regulation (GDPR) came into force. We explore the biggest challenges facing employers, the ICO's approach and key areas to focus on in the next 12 months.
Whilst most employers undertook data audits and put in place data policies and notices to comply with the new requirements, for many the process was rushed with little time for comprehensive analysis. So now is the ideal time to take stock to make sure everything is in order.
Three key issues since GDPR
The main issue is the dramatic increase in Data Subject Access Requests (DSAR). In particular, they have become a common tactical element of employment litigation and in many exit negotiations and grievances. DSARS are often incredibly time consuming, expensive and complex. This explains why a failure to comply with a DSAR amounts to approximately half of the total complaints to the ICO. To reduce risk, as much detail as possible should be set out in staff privacy notices and they should be kept up to date. We can help you to respond to requests robustly and explore with you the legal and commercial options available so you are in the driving seat.
Data protection breaches
Another area is the handling of data protection breaches. Employers must now notify the ICO "without undue delay" and not later than 72 hours after having become aware of a data breach. Not surprisingly, there has been a huge increase in the number of data breaches being reported. In the UK, the ICO has indicated that in the 6 months after GDPR it received over 8,000 notifications of data breaches.
Artificial intelligence is increasingly part of how employers recruit and manage staff. Whilst developments in this area open up exciting opportunities they also carry risks. One of the risks is the extent to which the AI breaches data protection law. The ICO recognises this and is focusing on information technology as one of its 8 top priorities for 2020. Where employers introduce automated decision making they must conduct a thorough data protection impact assessment so these risks can be identified and mitigated.
Enforcement by the ICO
Since GDPR, the ICO has taken enforcement action on over 70 occasions. High profile cases include fines of £100,000 against EE Limited and £400,000 against Bounty UK.
However, these fines were for breaches pre GDPR. The stakes are now much greater with the much larger fines possible post GDPR. For post GDPR breaches, the ICO has already slapped proposed fines of £183 million and £99 million on British Airways and hotel chain Marriott. These are mega figures and are a stark warning of the increased risks.
What should employers be considering now?
Some key points to review are:
- Privacy notice - is your privacy notice up to date? For example, does it clearly explain who has access to staff data and how long it will be held?
- Policies and procedures - are your policies adequate and do they cover key risk areas including how to respond to data breaches and DSARs? Have they been clearly communicated with all staff?
- Staff training - consider annual GDPR refresher training, with more tailored training for staff that regularly handle personal data.
- Privacy impact assessments - do you understand the circumstances in which you are required to undertake a Privacy Impact Assessment?
- Do you have adequate Data Sharing Agreements in place?
- Do you understand your main areas of risk or weakness? Is it customers, staff or other? We can help to analyse and then mitigate that risk.