< Back

Share |

Changes to employee data management under the GDPR

March 2017

As the implementation of the General Data Protection Regulation (GDPR) approaches, businesses need to consider what this might mean in terms of cultural, structural and practical changes that may be needed in order to meet the new requirements, particularly in relation to employee data (likely to be the biggest risk area for many employers).

Many of the concepts under the GDPR, while new for the UK and some EU Member States, are not so new for others. Germany has been at the cutting edge of data protection developments, and a number of the requirements under the GDPR either reflect current German practice and thinking, or are not far removed from them.

Increased employee rights

Under the GDPR, employees as data subjects will have greater rights. The good news for UK employers is that many of these rights are similar to those under the current UK Data Protection Act 1998 (DPA). The bad news is that, as a general rule, the GDPR expands the rights under the DPA, introduces a few new rights, and imposes significant penalties for breaches.

In summary, under the GDPR, employees as data subjects have the following rights:

  • the right to be informed, which encompasses the obligation on employers to provide transparency as to how personal data will be used;
  • the right of access, similar to those rights under the DPA and encompassing the ever-popular subject access request;
  • the right to rectification of data that is inaccurate or incomplete (again similar to the DPA);
  • the right to be forgotten under certain circumstances;
  • the right to block or suppress processing of personal data (similar to the DPA); and
  • the new right to data portability which allows employees to obtain and reuse their personal data for their own purposes across different services under certain circumstances.

Accountability and privacy by design

Accountability is arguably a continental concept at its core, and not necessarily a concept that the UK or newer Member States are that familiar with. The new accountability principle requires businesses to demonstrate that they comply with the data protection principles and states explicitly that it is their responsibility to do so.

In practice, this means that employers will have to:

  • put in place appropriate measures to ensure and demonstrate that they comply (this may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies);
  • maintain relevant documentation on processing activities;
  • where required, appoint a data protection officer (DPO);
  • implement measures that meet the principles of data protection by design and data protection by default (such as data minimisation, pseudonymisation, transparency, allowing individuals to monitor processing and creating and improving security features on an ongoing basis); and
  • use data protection impact assessments where appropriate (see article).

As well as the obligation to provide comprehensive, clear and transparent privacy policies, if the employer has more than 250 employees, it must maintain additional internal records of its processing activities. This is likely to place further cost and administrative burdens on employers.

At the heart of the GDPR is a change in focus from high-risk matters, to more routine ones – effectively on anything that impacts a data subject.

Data Protection Officers (DPOs)

Again, DPOs are arguably a Franco-German concept, and something that German employers are probably more familiar with than their EU counterparts.

Under the GDPR, DPOs must be appointed by employers who:

  • are a public authority (except for courts acting in their judicial capacity);
  • carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
  • carry out large scale processing of special categories of data or data relating to criminal convictions and offences.

The DPO role can be outsourced to external providers but the underlying obligation is that the responsible individual must have expert knowledge of both data protection regulation and requirements and of the practices and processes of the employer itself. This should be proportionate to the type of processing the employer carries out, taking into consideration the level of protection the personal data requires.

Employers must ensure that:

  • DPOs report to the highest management level – i.e. ordinarily, board level;
  • adequate resources are provided to enable DPOs to meet their GDPR obligations; and
  • DPOs operate independently and cannot be dismissed or penalised for performing their tasks.

DPOs will have specific rights and protections, including:

  • the power to insist on company resources for data protection matters;
  • the right to access the employer's data processing personnel and operations; and
  • express protection against dismissal or penalty for carrying out their duties.

The last point is probably the most uncomfortable for employers, creating a protected class of employee, and one that US parent companies, in particular, are likely to find difficult to understand. There will be no limit on the tenure of the DPO role, which again is likely to cause raised eyebrows among some EU employers.

Employers should note that any organisation is able to appoint a DPO. Regardless of whether or not the GDPR requires a DPO to be appointed, employers must ensure that they have sufficient staff and skills to discharge their obligations under the GDPR.

Data protection Privacy Impact Assessments

Data protection Privacy Impact Assessments (PIAs) can help organisations identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy.

Employers will be required to carry out PIAs if their proposed activities are likely to result in a high risk to the rights and freedoms of individuals. This will affect various aspects of HR activity, particularly in the recruitment and post-employment arenas – it is easy to see how vetting and assessment activities in recruitment, for example, will trigger a PIA.

Data breaches: positive action needed for all but most trivial breaches

Employers will need to inform the relevant regulator of a personal data breach within 72 hours of becoming aware of the breach unless they are able to demonstrate that the breach is unlikely to result in risk to the individual’s rights and freedoms. While self-reporting has always been an option for employers to mitigate the risk of enforcement action, this has now become an obligation on employers for, arguably, all but the most trivial of breaches. In tandem, the ICO and other national regulators will also have increased investigation and audit powers, and rights to require information and access to premises.

The reason to care: penalties

Currently, fines under national Member State laws vary. Under the GDPR, however, fines will be significantly increased across the EU, and will be levied on a two-tier basis as follows:

  • up to 2% of annual worldwide turnover of the preceding financial year or 10 million Euros (whichever is greater) for violations relating to internal record keeping, data processor contracts, data security and breach notification, data protection officers, and data protection by design and default; and
  • up to 4% of annual worldwide turnover of the preceding financial year or 20 million Euros (whichever is greater) for violations relating to breaches of the data protection principles, conditions for consent, data subjects' rights and international data transfers.

In short, employers who previously regarded non-compliance with EU data protection law as a low-risk issue will be forced to re-evaluate their position.

Multi-national employers also need to closely monitor developments in other Member States such as Germany where lawmakers have already stated their intention to make use of the GDPR derogations for employee data protection. Some Member States may raise the bar for local HR operations in certain areas (e.g. lower thresholds for appointing a DPO and determining specific conditions for processing of a national identification number).

What to take away?

Employers need to take notice of the ways in which they process employee data, the purposes for which they process employee data and the processes and procedures in place for the collecting, transferring and storing employee data. The UK's ICO has taken a pragmatic approach to enforcement and is unlikely to change that; maximum fines are likely to be imposed only as a last resort. However, other regulators may also have a say in enforcement against UK businesses, for example, where it is primarily their own citizens who are impacted, and this means the decision may not be the ICO's alone.

In order to tackle these requirements and best protect a business, we recommend the following steps:

  • review current data protection policies and practices;
  • allocate appropriate resources to deal with the enhanced compliance burden;
  • review employee data flows, use of employee data and ways in which data is processed and stored;
  • put in place updated or new internal data protection policies, staff training, internal audits of processing activities and reviews of internal HR policies;
  • assess business needs and identify employees who will require early training on the new reforms, with a view to rolling out revised data protection training for all employees nearer to the date of implementation;
  • where appropriate, appoint a data protection officer (DPO) and/or nominate an individual or officer to oversee compliance with the reforms;
  • implement measures that meet the principles of data protection by design and data protection by default;
  • use PIAs where appropriate; and
  • review and implement policies for reporting future data breaches, which should tie in with whistleblowing procedures.

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.

Changes to employee data management under the GDPR
Stephanie Creed

Stephanie Creed      


Stephanie looks at the most significant changes to current practice for employers under the GDPR.

"Employers who previously regarded non-compliance with EU data protection law as a low-risk issue will be forced to re-evaluate their position."