GDPR FAQs for employers - Principles and Obligations

These Frequently Asked Questions provide you with a brief introduction to data protection law in the UK and how it applies to employers.

What is the GDPR?

The EU General Data Protection Regulation (EU GDPR) was created on the 14th April 2016 and came into force on 25 May 2018 and set out key principles and obligations for processing personal data. Although the UK has now left the European Union, the content of the EU GDPR has been incorporated into our domestic law and therefore continues to apply, albeit with certain modifications to take account of Brexit. This is referred to as the UK GDPR. In addition, the Data Protection Act 2018 (DPA 2018) provides further detailed rules that sit alongside and supplement the UK GDPR provisions. For simplicity, where appropriate, we refer to the UK GDPR and DPA 2018 together as the 'GDPR'.

What is personal data?

Personal data means any information relating to any living individual (also known as a ‘data subject’) who can be identified (directly or indirectly), in particular by reference to an identifier (e.g. name, NI number, employee number, email address, physical features). Relevant individuals can include work colleagues, consumers, members of the public, business contacts, etc. Personal information/data can be factual (e.g. contact details or date of birth), an opinion about a person's actions or behaviour, or information that may otherwise impact on that individual. It can be personal or business-related.
 
Personal data may be automated (e.g. electronic records such as computer files or in emails) or in manual records which are part of a filing system or are intended to form part of a filing system (e.g. structured paper files and archives).

What is special category data?

There is a sub-category of personal data which is known as ‘special category’ data. This is personal data about an individual's:

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Physical or mental health  
• Sex life or sexual orientation
• Biometrics (if used for identification purposes)
• Genetics

Examples of the types of special category data that an employer may process include:

• Sickness records, pre-employment medical questionnaires/examination notes, and drug or alcohol tests
• Equal opportunities monitoring forms
• Payroll information, if you operate check-off for trade union members
• Pension scheme or private health insurance records, which might contain details about a person’s sexual orientation, if a partner is a beneficiary

The GDPR places more restrictions on the processing of special category data than on other personal data, because it is particularly sensitive.
 
What does ‘processing’ personal data mean?
‘Processing’ personal data means any activity that involves the use of personal data (e.g. obtaining, recording or holding the data, amending, retrieving, using, disclosing, sharing, erasing or destroying). It also includes sending or transferring personal data to third parties.
These can all be processing:

• You forward an email about an employee you’re dealing with to a colleague
• You delete old emails
• You use your electronic security card to open a door, creating a swipe record
• You install and use CCTV
• You record telephone calls

What is a data ‘controller’? And a data ‘processor’? And who is a ‘data subject’?
 
A data controller is the person or body which, alone or jointly with others, determines the purposes and means of the processing of personal data. (For example, as an employer, you are a controller in respect of your employees’ personal data.)
 
A data processor is a person or body which processes personal data on behalf of the controller, following its instructions. (For example, if you use the services of a payroll provider to process your payroll, the payroll provider will be a processor.)
 
A data subject is the technical term for the individual to whom personal data relates.

What are the GDPR data protection principles?

As well as imposing certain specific obligations (see below), the GDPR requires controllers to process data in compliance with various data protection principles. We summarise these principles here.

Principle - Fair Lawful and Transparent Processing

You must:

• tell individuals what information you hold about them and what you do with it
• handle individuals’ information only in ways they would reasonably expect
• not use personal data in a way that has an unjustified adverse impact on the individual (it can have an adverse impact, as long as it is justified)
• ensure that you have a ‘legal basis’ for processing their ordinary personal data
• if you are processing special category data, ensure that you also have a ‘special category’ legal basis for doing so

Principle - Obtain personal data for specified, explicit and legitimate purposes and do not process it in a way which is incompatible with those purposes

You need to tell individuals the purposes for which you need their information and avoid using it for different reasons.
If you need to use information for a different purpose, you must take into account the following factors when deciding if the new purpose is compatible with the original purpose:

• Is there a link between the new and old purpose?
• Context of data collection and the relationship between the parties
• Nature of the data – e.g. is it special category data?
• Consequences of processing
• What safeguards are in place?

Principle - Personal data must be adequate, relevant and limited to what is necessary for the purposes for which it is processed

Do not obtain or hold excessive, disproportionate or irrelevant amounts of data about individuals. This is part of a principle referred to as ‘data minimisation’.

Principle - Do not keep data for longer than necessary for the purposes of which it is processed

Do not retain personal data for any longer than you need in order to meet the purpose for which it is held. This is part of a principle referred to as ‘data minimisation’.

Principle - Keep information secure

Ensure that individuals’ information is kept secure and, where appropriate, confidential. Take steps to make sure it is not lost, destroyed or damaged and is available to people only on a need to know basis.

Principle - Demonstrate compliance with the principles

The GDPR also includes the concept of ‘accountability’ which requires ‘demonstrable compliance’. This means that it is not enough for you to comply with each of the principles set out above; you must also be able to demonstrate that you do.

What specific obligations does a controller of personal data need to comply with?

In addition to requiring controllers comply with the data protection principles outlined above, the GDPR imposes further specific obligations. We describe these briefly here.

Obligation - Provide fair processing information

Linked to the principles of ‘fair, lawful and transparent processing’ and ‘obtaining personal data for specified, explicit and legitimate purposes’, the GDPR requires you to provide individuals with detailed information about what data you collect, the purposes for which you collect it, and how long you hold it for. The document in which such ‘fair processing information’ is provided is referred to as a ‘privacy notice’.

Obligation - Respect and facilitate the exercise of individual rights

You must enable individuals to exercise their rights under the GDPR. These are rights to:

• access their personal data (this is the most commonly used individual right and is referred to as the right to make a ‘subject access request’, or ‘SAR’);
• object to processing of their personal data;
• erase, delete or remove personal data (also known as the ‘right to be forgotten’);
• restrict processing of their personal data;
• rectify or correct inaccurate or incomplete personal data;
• obtain an explanation of any decision based solely on automated decision-making/profiling and challenge it, obtain human intervention, and be able to express their point of view;·    transfer personal data to an individual or another party, in a structured format (also known as the ‘right to data portability’)

Although not obligatory, it is good practice to have in place a company process for handling individual rights requests.

Obligation - Implement appropriate technical and organisational measures

You must put in place appropriate measures to: ensure your compliance with the GDPR; be able to demonstrate that compliance; and ensure an appropriate level of security for the data that you process.
When determining what measures would be appropriate, you must take into account factors such as the state of the art (i.e. technological capabilities), costs of implementation, nature, scope, context and purposes of data processing, and the likelihood and severity of any associated risks to individual rights and freedoms. One organisational measure that is often appropriate is the implementation of a data protection policy that sets out how your organisation handles personal data and what you expect of your employees in this regard.

Obligation - Data protection by design and by default

Linked to the general obligation to implement technical and organisational measures to ensure compliance (above), data protection by design and by default means integrating data protection into activities that involve processing personal data, from the design stage of a new process, and during processing itself. The default position must be compliance.
All processes that involve personal data, subject to cost and what is technically practicable, need to include safeguards so that you comply with the GDPR. One way to help ensure that you comply with this obligation is to carry out a data protection impact assessment (DPIA) before commencing new processing activities (see further below).

Obligation - Only use processors that provide guarantees of compliance

If you use a third party processor to process personal data on your behalf, the GDPR requires you to include certain specified provisions in your contract with them to ensure compliance.

Obligation - Maintain a record of processing activities

There is a general duty to keep a record of processing activities. This obligation applies to all organisations that have 250 or more employees. Organisations that have fewer than 250 employees must also keep records of processing activities in respect of processing that: is likely to result in a risk to the rights and freedoms of individuals; is not occasional; or includes special category or criminal data.
In our view, the processing of the vast majority of employee data would be described as ‘not occasional’ in the sense that it will be regular as opposed to one-off or ad hoc processing. Given this, we think it will be administratively easier for organisations with fewer than 250 employees simply to keep a record of all processing activities in respect of employee data. The record must include certain specified details of how data is processed and must be produced to the Information Commissioner’s Office (ICO) on request.

Obligation - Notify personal data breaches to the ICO and affected individuals in certain circumstances

You must inform the ICO of any personal data breach without undue delay (and, where feasible, within 72 hours of becoming aware of it), unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. Where the breach is likely to result in a high risk to the rights and freedoms of individuals, you must inform the affected individuals as well.
(A personal data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to individuals’ personal data.) 
Although not obligatory, it is good practice to have in place a company process for handling personal data breaches.

Obligation - Conduct Data protection impact assessments (DPIAs) for certain types of processing

The GDPR requires you to conduct a DPIA where processing operations are “likely to result in a high risk to the rights and freedoms of natural persons”. The outcome of the assessment should then be taken into account when determining the appropriate measures to be taken in order to ensure and demonstrate that the processing of personal data complies with the GDPR.

Obligation - Do not transfer data outside the UK without ensuring an adequate level of protection

Special safeguards are needed if data is going to be transferred to a third party outside the UK, unless they are in a country that has been granted an ‘adequacy decision’.
The UK Government has, for now, recognised EEA countries as providing adequate protection for personal data and accepts the validity of existing adequacy decisions for other countries that were issued by the EU Commission before the UK left the EU. (Note that you must include information about international transfers and any applicable safeguards in your privacy notices.)

Obligation - Appoint a Data Protection Officer (DPO) if required

A DPO is a person with expert knowledge of data protection law and practices who assists the Controller to monitor their internal data protection compliance. They must report to the highest level of management within the company and have specific responsibilities, which are listed in the GDPR.
Appointing a DPO is obligatory under the GDPR for certain organisations:

• Public authorities
• Private organisations whose core activities consist of processing operations that require regular and systematic monitoring of the data subjects on a large scale, or processing on a large scale of special categories of personal data and data relating to criminal convictions and offences.

In our view, ordinary manufacturing companies are unlikely to be caught by the requirement to appoint a DPO, but you should seek specific advice if you are unsure.

*Note that failure to comply with the data protection principles or specific controller obligations described above will amount to a breach of the GDPR.

What are the consequences of breaching the GDPR?

The ICO is the UK regulatory body responsible for enforcing the GDPR. It has extensive investigatory powers and can impose enforcement notices and significant monetary penalties in cases of serious breach. The maximum penalty is £17.5 million, or 4% of an organisation’s global annual turnover, whichever is higher, but the amount will be determined based on the facts of the individual case, and ICO guidance has indicated its intention to set fines at a level that is “effective, proportionate and dissuasive”.
Individuals have several remedies under the GDPR, including:

• a complaint to the ICO;
• an application to Court for an order requiring you to comply with their individual rights
• an application to Court for damages caused by the breach (including damages for distress); and/or
• a complaint to the ICO or an application to Court supported by a representative body, such as a trade union.

Certain breaches of the GDPR can also result in criminal prosecution (e.g. altering an individual’s personal data to prevent its disclosure in response to a SAR, or forcing an individual to make a SAR to access details of their criminal or health records). 

What key practical steps should HR professionals take to comply with GDPR obligations?

The GDPR bites in all areas in which a business processes personal data. Even in businesses which process more personal data in relation to employees than in other contexts, GDPR compliance is not just an HR job; it involves other departments such as IT, Compliance, Legal, Sales, Finance, etc.
However, there are some key practical steps that HR professionals can take to help ensure that their organisation meets its GDPR compliance obligations: 

• Ensure that all staff are given appropriate training on data protection compliance, with staff who have particular responsibility for handling personal data being given more in-depth training tailored to their role
• Put in place any required GDPR documentation for handling employee and job applicant personal data (e.g. privacy notices, data protection policy, employee record of processing, etc.) and keep this documentation up to date
• Conduct periodic reviews of the employee personal data that you hold, to comply with the data minimisation principle and ensure that you are not keeping personal data for longer than necessary
• Understand how to respond to a SAR and other individual rights requests and ensure that all staff know how to recognise such requests and that they must report them to an appropriate person to be dealt with promptly
• Be clear on what you need to do in the event of a personal data breach
• Keep up to speed on any new developments and updates to ICO guidance

Where can we get help to comply with our GDPR obligations as an employer?

It’s clear from the above that the GDPR poses significant challenges for employers. At Make UK, our team of barristers, solicitors and HR professionals is here to help address all your employment-related data protection needs and ensure your compliance with the GDPR.
Plus, with our range of online data protection and GDPR resources, suite of essential template documents and exclusive training courses (for you as HR professionals but also for your staff), you have all the expertise, knowledge and support you need to help your business thrive. For further information about how we can help you, click here

Our team of barristers, solicitors and HR professionals provide all the legal advice and guidance you need to help you and your business thrive. If you would like to discuss your auditing needs or would like to know more about the support, Call us on 0845 293 9850, or email [email protected]