The GDPR is just four months away. Firms may already be prepared for major changes to how they handle client data, but do you know it also applies to data on your people? Andrew Kimble and Dan Fawcett provide a guide for managing partners and HR professionals
In May, the General Data Protection Regulation (GDPR) will overhaul the 20-year-old Data Protection Act 1998 (DPA 1998). Among other things, the new law will require all employers to look afresh at how they store and manage employee data, particularly sensitive personal data such as information on employees’ health, absences and trade union membership.
Employers will need to ensure that they have a comprehensive, concise and transparent privacy notice that advises employees, partners and LLP members as to how and why their data will be processed
Law firm HR departments will play a crucial role in ensuring that employee data is processed lawfully, and appropriate information is given to employees about the use of their data. The GDPR will require a significant shift in how organisations deal with this aspect of data protection compliance. In particular, it will require a move away from relying on employment contracts, and towards comprehensive and clearly drafted privacy notices.
At present, organisations can be fined up to £500,000 for a serious breach of the DPA 1998. However, under the GDPR, maximum penalties for breaches of its requirements are €20m, or four per cent of an undertaking’s worldwide annual turnover, if higher. The potentially severe penalties for breaches of the GDPR mean that data protection compliance should now be seen as a key compliance issue for all employers, including law firms.
Can we continue to rely on consents in employment contracts?
Under both the existing DPA 1998 and the GDPR, personal data can only be processed if one of a number of conditions is met. One of those conditions is consent and, at present, firms often rely on consents in employment contracts as meaning the conditions for processing data are met.
This has never been an ideal approach, as there has always been a concern over whether such consent can be freely given. However, under the GDPR, consent can only be relied on for processing if it is freely given, specific, informed and unambiguous. Given that an employee has no choice but to enter into an employment contract if they want the job, it is unlikely that this condition can be satisfied in an employment contract.
There are a number of other conditions for lawful processing that can be relied on, and HR departments should ensure they know which is most appropriate for their organisation. Potential conditions are either: that processing of the data is for the purposes of legitimate interests pursued by the employer; or that it is necessary for the performance of a contract that the employee is a party to (that is, the employment contract).
Law firms will need to think about the conditions they are relying on for partners and LLP members as well as employees, although there will often be overlap.
What do we do about employment contracts that currently contain data protection consents?
It would be advisable to inform employees that the sections of their contracts dealing with data protection consents no longer apply. Some law firms that process particularly sensitive client data may, however, want to include some obligations regarding data protection compliance in employment contracts.
In any event, HR teams will need to amend template contracts for new employees to remove consent clauses that are unlikely to be the best route to compliance under the GDPR. The new versions could refer employees to an organisation’s data privacy notice (see below), or even append that notice to the contract.
If we can’t rely on consent, how do we ensure we process information lawfully and fairly?
Instead of relying on consent, employers will need to ensure that they have a comprehensive, concise and transparent privacy notice that advises employees, partners and LLP members as to how and why their data will be processed.
Under the DPA 1998, there is already a requirement to provide such a privacy notice, sometimes referred to as ‘fair processing information’, to data subjects. However, under the GDPR, the information to be provided about the processing of data is far more extensive than that required under the DPA 1998. The notice needs to set out:
- the specific legal condition relied on for fair processing
- where data is obtained from
- who data may be provided to
- how long data will be stored for
- information on a data subject’s wider rights under the GDPR, including in relation to subject access requests and the right to complain to a regulator (in the UK, this is the Information Commissioner’s Office (ICO)).
Law firms and their HR teams will therefore need to carefully audit the data they hold and the use of such data, in order to prepare suitable privacy notices. Once a suitable notice has been drafted, they will need to update the existing information on use of data, which may currently be set out in a staff handbook, in a data protection policy or on a staff intranet page. It is important to ensure that the information can easily be updated, so it may be better to keep it separate to a staff handbook.
Those firms which have in the past relied solely on a consent in an employment contract will need to make a decision as to the best way of drawing a privacy notice to employees’ (and partners’ / members’) attention. For new joiners, that could involve including the privacy notice in an induction process (or even better, with an offer of employment). However, HR professionals in the legal sector will need to develop a clear communication plan for existing employees, to make sure they can evidence that adequate information has been provided prior to the introduction of the GDPR.
What about job applicants?
HR departments will hold information on not only existing and former employees, but also applicants for employment. They will need to ensure that personal data on applicants is processed fairly and lawfully, in the same way as for employees, and will therefore need to do a similar task of auditing use of data and preparing a suitable privacy statement to be sent to job applicants, to advise them of how and why information will be processed. Depending on how candidates apply for roles, that privacy statement may need to be incorporated into an online application system, or the organisation may need to work with recruitment agencies to make sure there is a process for providing the information to applicants.
What other new rights will employees, partners and members gain?
Law firms may be familiar with employees using subject access requests to try to obtain documents for use in disciplinary and grievance procedures or as a precursor to an Employment Tribunal claim, and may have experience of how time-consuming they can be to process.
Under the GDPR, the current set fee of £10 that employers can charge for complying with a subject access request will no longer apply. Additionally, employers will be required to comply ‘without delay’, and within one month rather than within 40 days. This is very likely to lead to an increase in the use of subject access requests. HR departments should consider implementing processes to ensure they can efficiently deal with any such increase.
As data subjects, employees will have new rights to ask for their data to be rectified, deleted or frozen (a restriction on having their data processed). Circumstances in which these rights apply include where data has been unlawfully processed. There is a risk of employees seeking to use these rights to challenge evidence being used against them in disciplinary processes.
Until these rights have come into effect, it is difficult to say how much use employees will try to make of them. However, if a firm has a well-drafted privacy notice it will make it more difficult for employees to argue that data has been processed unlawfully. Getting the privacy notice right could therefore be a defence against attempts to utilise these rights in a way that is not within the spirit of the new legislation.
Again, all of the above could apply as much to partners and members as employees.
What further role will HR play in ensuring compliance?
One of the biggest data protection risks for firms will be mistakes made in handling data by employees. Therefore, implementing robust data security procedures and developing training on those procedures will be key elements of any organisation’s GDPR compliance strategy. As part of the process of embedding data protection principles in workplace culture, HR will need to work with information security teams to ensure that all employees are trained on and understand their obligations under the GDPR. This will be crucial in law firms, due to the sensitivity of data involved in legal work.
Learning and development teams will therefore need to be involved in devising training courses and implementation plans well in advance of May 2018. HR teams will also need to be involved in the drafting and dissemination of data protection / information security policies.
One of the key requirements of the GDPR is an obligation on a data controller to notify the ICO (or other regulator where operating elsewhere in Europe) promptly – within 72 hours if feasible – of any data breaches. This means breaches of security leading to accidental or unlawful destruction, loss, alteration or unauthorised disclosure of personal data.
Employees will need to be aware of the notification requirements, and understand that intentional or grossly negligent breaches are likely to be treated as disciplinary offences. It may also be appropriate for firms to embed ‘fair culture’ practices, so that employees know that, if they report a minor or innocent breach, the focus will be on resolving the issue and preventing reoccurrence, rather than on blame. That may encourage employees to report breaches.
Do we need a DPO?
If a firm’s core activities involve large-scale or systematic monitoring and storage of sensitive personal data, it will be obliged to appoint a data protection officer (DPO). This is an independent role with a focus on advising data controllers and monitoring compliance with the GDPR. Whether a law firm is required to appoint a DPO may well depend on the type of work it does. Firms that do purely corporate or real estate work may not, but firms that handle large amounts of personal injury, clinical negligence, employment or criminal work are highly likely to need a DPO.
Conclusion
Law firms will need a joined-up approach to compliance with the GDPR, and HR departments will have a key role to play, not only in ensuring employee data is processed lawfully and fairly, but also in embedding a data protection culture across an organisation. If HR, information security, compliance and legal teams work together in devising procedures and training programmes, then an organisation will be in a much stronger position when it comes to complying with its data protection obligations.