GDPR for Employers

Transcript of the Video

Welcome, welcome, welcome to my third Facebook Live, I think it is now. I have invested in the tripod, so hopefully no technical disasters today like my phone falling off its sticky thing yesterday, like trying it on my laptop and it freezing two or three times, so hopefully we're set up today. Let me just do a sound and audio check. I can't see that anybody is actually joining me live at the moment, so I'm going to wait until I can see that somebody has so that we can do a sound and video check. I'm going to see that I'm coming through on the group here. Let me do a quick refresh of that. Okay. There we are, so I can see that it is actually broadcasting. Thank you, Chris, for saying, you can hear me loud and clear, so thank you for that.

Welcome, everybody. GDPR and employers today, so if you are employing people, then this is one for you to watch. Although we might not have technical problems today, we have some problems in that the sun is shining in through the orangery right into my face and causing some strange shadows. We'll forget about that and get into the content. Welcome, Chris. Welcome, Elizabeth. Welcome, other Chris. Yeah. I've just noticed that these Facebook Lives have a feature to bring you on the camera, so might do that on future Facebook Lives where I can actually bring you on air to ask a question. That would be rather fun, wouldn't it? Okay. Super.

I'm just going to give it a couple more minutes until we get a few more people on, and then we'll get stuck into the discussion of GDPR and employees because a lot of people just think about GDPR in the context of marketing, but actually, another key area is employee data. If we have employees, then we retain a lot of employee data, and probably a lot of that data falls into the category of sensitive data, so if you require your employees to have a medical questionnaire, fill in a medical questionnaire, or you ask them to fill in an equal opportunities form where they're disclosing their race, then that type of data is sensitive data, and special rules apply to that data.

That's what we're going to be talking about today. We're going to be talking about the processing of employee data, and if we've got time, we'll also look at the enhanced rights of employees that GDPR will be bringing in. We'll just, I say, wait for a couple more people to join, and then I'll get cracking. Now, do ask me your questions. I think today, actually, they're coming through on my phone, so it does seem to change its mind on a daily basis as to whether it actually lets me see the comments or not, but I can see Chris' comment before, which is all good. Okay. All right, so we've got, I can see three of you. That's good enough for me. If there's one of you listening to me, then I'll carry on.

Okay, so let's just start by asking you guys who are watching now, let's go to Chris Richards, seeing as you were here, you're prompt, you're on time, you're raring to go with this. How many employees do you have, Chris? You can pop that in the comment box and let me know. Hi,Jenny. Welcome to you. Jenny's one of my mastermind members who I know has employees, and I think, Jenny, correct me if I'm wrong, I think you have four employees at the moment. Is that right? Maybe you can pop that in the chat box, how many do you have. Elizabeth, not sure if you have any or not, but if you do, pop that in the chat box, and let's get a little bit of a view as to how many employees we're talking about here. Four, so Jenny's saying four. I was right with four. Jolly, good.

Chris, the first Chris hasn't answered, and he might ... Chris Richards, are you still there, Chris Richards? How many employees have you got? Let me know, and Chris Tingey, Tingay? Tingay? Sorry if I said that wrong, Chris. How many employees do you have? Let me know in the chat box. Welcome. Welcome to whoever's joined. We're just, while people are joining, I'm just getting a feel for how many employees people have on this Live so that I can tailor it for them a little bit more appropriately. Hello, Nicola Jordan, how are you? Nice to see you.

I'm just asking people who are watching live how many employees they have. Chris Tingey says, one employee and three freelance contractors. Okay, great. I'm going to be doing a separate Facebook Live talking about working with freelancers. We're just focusing on employees today. Elizabeth saying, "Setting up a new business now, so this is useful for my planning." Jolly good. Absolutely, so if you don't have employees right now, but it's something you're thinking of doing, then you need to know this stuff, so very sensible to be proactive about that, Elizabeth, and beyond this Live now. Okay. Super. All right, so let's get started, and people can join in as they come in.

Okay, so we're going to be talking about the grounds of processing employee data and employee data rights, because they have, or they will expand under GDPR. Glenda says, "No employees, but lots of associates." Okay, so Glenda, this is purely about employees. I'm going to be doing another training on freelancers, but it will be useful to listen to for future reference if you do decide to take on employees. Suzanna says she's a bookkeeper and offers payroll services, so interested for both your own perspective and your clients' perspectives. Elizabeth works with five freelancers. Okay. Jolly good. Jolly good. Okay, so I think we've sort of got between sort of up to five employees is what I'm seeing at the moment, which is great. I'm consulting with multinationals at the moment that have, I think the one I'm currently working with has 350,000, maybe a little bit more, so they have a little bit more of a problem in dealing with this than you do. For you guys, it should, fortunately, be reasonably straightforward, but there are still things that you need to know.

Okay, so as I've said, GDPR is not just about email lists. It's not just about marketing. Employee data figures in this very heavily, and as I said earlier, before a lot of you joined, when you've, dealing with employee data, a lot of it's likely to be sensitive data, so if you ask them to fill in a medical questionnaire or an equal opportunities form, then that type of information is sensitive data, and you have to treat that a little bit differently. Now, historically, you're likely to have relied on consent as the legal ground for processing all of your employee data, just a generic consent that's normally in the employment agreement and that's it. The employee says, "Yes, I consent to you using my information for blah, blah, and blah." Under the existing data protection laws, that's fine.

Now, going forwards post-GDPR, consent is unlikely to be the appropriate legal ground of processing for most of your employee data. You can't have that blanket consent now, and the reason for that is that the new definition of consent under GDPR says that consent has to be freely given. It's about genuine choice and consent, and of course, if that consent is a blanket consent, and it's in an employment agreement, then chances are, it's not given very freely, is it? It's not like you could negotiate that out and say, "No, actually, I don't fancy you using my data, so I'm going to opt out of that." That's not how it works with employment contracts.

Because of this emphasis on consent being freely given, then what ... It seems unlikely, because of the imbalance of power, imbalance in negotiating power in the employer-employee relationship, it seems unlikely that consent is going to be the most appropriate legal ground for processing going forwards, so what you need to do is, you need to break your employee data down, and you need to look at all aspects of your employee data.

You're going to need some data, of course, for payroll. Now, that would fall under the ground of being necessary to fulfill your contractual obligations, because obviously, you take on an employee, you've got to pay them, and how to do that? You need their bank account details to do that and certain other payroll information. That would fall under the ground of fulfilling contractual obligations. Social security data, say the information that you give the taxman, for example, that's necessary to fulfill a legal obligation, so that would be the appropriate ground for processing for that type of data.

Legitimate interests, it might be said that filling in, providing medical reports, or medical sign-ups, or medical questionnaires, that those are in the legitimate interests of the employer, but remember, when you rely on the legitimate interest ground of processing, you have to make sure that your legitimate interests as an employer are not overridden by the potential harm to the individual. Legitimate interest is always really my last resort ground of processing because it's not black and white.

Or it could be consent. In some cases it could be consent, so if you've got an employee survey, for example, then it might be that consent is the most appropriate ground of processing, or occupational health reports, although whether that would fall into the legitimate interests or not is debatable, but the problem with consent is that consent can be withdrawn at any time.

Again, this is really a reason for not having, aside from the fact that consent needs to be freely given, if you rely on consent, then it can be withdrawn at any time, and an employee could potentially withdraw consent as a tactic in, for example, you've got a disciplinary procedure or a redundancy process, then an employee could, in theory, if they were a savvy employee who knew about this kind of stuff, then they could, in theory, withdraw consent to processing at a key stage in that disciplinary or redundancy process, or negotiation about something else, to try to gain the upper hand. You need to be really quite wary about using consent as a legitimate ground for processing going forwards.

Okay, so it's practical steps that you need to take, then. Number one, sit down and identify what employee data you actually hold and break it down into things like, "Okay, well, we've got the payroll information, social security data, medical reports, etc.," and break it down into that level of detail. Then you need to match that up with a legitimate ground of processing. I'll pop a little summary of what those grounds are in the video below. We've covered, I've covered probably the main ones that are relevant to the employment relationship, but I'll put them in the comments anyway.

Okay, so if you do happen to have to rely on consent for whatever reason, that consent needs to be a separate document and not intrinsically linked to the acceptance of employment. What we're advising is for employers to have a separate privacy declaration for employees, and that needs to be detailed, specific, and explicit as to the purpose or the ground for the processing, and more importantly, the purpose, what are you using the employee data for? There's not really one size fits all for that. You have to really look at the detail of your operations and in your employee data and tailor a privacy compliance statement or privacy declaration, really tailor it for your own business.

Now, I talked about sensitive data before, and as an employer, chances are, you are going to be dealing with sensitive data, and as I said on an earlier Facebook Live, you need explicit consent for sensitive data. The Working Party guidance on that is that a signature on the bottom of a form will suffice, and it gave another number of other options, like a double opt-in if the information was being provided online, but for this, an employment relationship, if you're getting them to fill in a form that has an element of sensitive data in it, and I've previously posted what sensitive data is, it's things like race, it's things like health data, it's things like religious persuasion, sexual persuasion, it's all of that kind of stuff, if you're processing sensitive data, you need explicit consent.

Typically, that's a separate form with the information on that maybe they're filling in the form. It can be an online form if necessary, but they need to, we need to have their signature on that form. That's a way of evidencing explicit consent, and you also need to keep a record of that consent, so if you are relying on consent for employee data, you need to have some kind of system that records the fact that the employees have consented. Now, obviously, if it's filling in a medical questionnaire or something like that, you're going to keep that on file, that the employee will sign it with the relevant notice on, privacy notice, and you will keep that on file.

Okay, what else do I need to say about that? Does that all make sense? But I think that's all I need to say about that, so really, the things that I want you to take away are that one of the key things about GDPR is that it makes us think about and look a lot more closely at the legal ground for processing data, and if you don't have a legal ground for processing data and you're reported to the ICO, then you will be, at the very least, reprimanded by the ICO, so we need to have in mind at all times, "What is the legitimate ground for processing this data?"

First thing, break down what data, employee data, you actually hold. Second thing, look at the legal ground for processing for each of those bits of data. Make sure, and then obviously make sure there is a legitimate ground for doing that. Now, if you need consent, then you need a separate consent declaration. It can't be in your employment contract, and there probably will be limited areas of processing where consent is the best legal ground for doing so because as I said before, employees can withdraw consent, and it needs to be freely given, so you need to bear that in mind. Okay.

Just who, you're probably thinking, "How can I get hold of my declaration of consent for employees?" That will be in my GDPR Pack. There'll be an employment section in that, so I will be letting you know in the near future how you can get a hold of that if you'd like it. Okay, so any questions on that? Let me look over here. Okay. Again, it's very strange. My laptop only shows me the last four questions, which is a little bit strange, because I know that there's been more comments and questions, and they seem to have disappeared, but there you go. Okay. All right. Well, I can't see any more questions. Can you just pop a little comment in the box if that was all clear? Did that all make sense to you, and do you know what practical steps you need to take going forward? Just pop a little comment in the box so that I know that the question box is actually working and that it made sense. I'll just give you a bit of time to do that.

Okay, so the next thing that we're going to talk about is employee rights, and I'll just have a look. Okay, Jenny, thank you for confirming that, that all made sense. Okay. Thank you, Suzanna, for confirming that. Okay. Good. All right. Well, I'll assume then that that was all super clear and you've got no questions on that, so that's great. Jenny says, "Is there a specific way this data needs to be stored?" You mean in terms of a locked filing cabinet and things like that or whether it needs to be online, that type of thing. Obviously document security, that is a key element of GDPR, and there need to be appropriate technical and organizational measures to protect data, so yes, if you're getting them to sign a physical document and it's sensitive data, then, and if you're a small business, then at the least, I would expect it to be in a locked filing cabinet.

Because what people don't realize is that if, and the GDPR talks about data breaches, if you have personal data about one employee and another, and it's disclosed accidentally to another employee, for example, because it's not in the appropriate files and it's not in a confidential area, then that could be, it's a disclosure, it could be a data breach, so yes, you need to be careful about security of employee data.

Jenny's saying, "We've been told through the beauty industry there has to be a locked and logged cabinet." Yeah, so I would, for a small business, I would, if it's a hard copy form that they filled in, then I would absolutely keep it in a file marked confidential. All employee data should be kept in files marked confidential, ideally in a locked cabinet that only you, whichever level of manager has access to, so it should not be, other employees should not be able to access that data.

Hello and welcome to Veronica Pullen, who has just joined us. Welcome. We've just covered the grounds for processing employee data, Veronica, which are changing. Well, they're not... There will be different grounds that we will be relying on for processing employee data, so do watch that on the replay, but we're just about to go on to enhanced employee rights.

Now, GDPR brings enhanced data subject rights, and employees benefit from the general application, so Joe Public benefits from enhanced data subject rights, and so do employees. Those are, I'm just going to run through them very quickly, and I'll pop them in the comments box to this as well, there's about eight of them, but the one we're going to be focusing on now is subject access requests, which is where the employee can write to you and say, "Right. Give me all the information you hold about me."

I'm going to walk you through how to deal with that, because that can often be very problematic for businesses, but in summary, the enhanced data subject rights under GDPR are the right to be informed, right of access, right to rectification, right to erasure, and that's not the eighties band by the way, right to restrict processing, right to data portability, right to object, and rights in relation to automated decision-making and profiling, which probably means nothing to you. I might do a separate, I'm not going to go into it in detail now, but I might do a separate Facebook Live on each of these different rights.

I'm just reading them out so that you have an overview to know that there are that many different rights, but the one we're going to be focusing on this Facebook Live is the most common that you're likely to come across, which is a subject access request. The problem with these in the employee context is that they're frequently made when there is, when you're in an ongoing dispute, or you've got a tribunal or a court case, and the employee will come to you and they'll say, "Right," well, they'll give you the request and say, "Give me all the data you hold on me," and they're typically on a fishing expedition to use whatever data they find for the benefit of their case or their ongoing dispute.

Now, the problem that we have is that a lot of employee data is actually unstructured. It's not infinite documents. If you think of email chains that go on for, you've got 500 forwards and backs and to’s, and so it's in chains of emails, and there might be thousands, and in bigger organizations, hundreds and hundreds of thousands of pieces of data on that individual employee, so you think about, so you've got computer logs on files, records of web searches made, emails and associated metadata, lots and lots of information, but the GDPR does put a fairly onerous burden on the employer to actually satisfy those information requests. The employer must make genuine and extensive efforts.

That does not mean that you have to leave every stone unturned, you'll be pleased to know, and recital 63 says that where employers process large quantities of information, you can go back to the employee and actually ask them to specify the information or the processing activities to which their data access request relates, so if they come to you and they just give you a blanket, "Give me all the personal data that you hold on me," then you are within your rights to go back to them and say, "That's just too wide. You need to narrow that down so that we can find the relevant data for you."

Now, if that request is not limited, you could argue that it is manifestly unfounded or excessive, in which case you could either seek to charge them for that undertaking of finding all that information or refuse to act. Now, the general rule with subject access requests is that you can't charge, and that is a change to the existing law where you can charge, you can charge 10 pounds at the moment, but going forward you can't charge for a data subject access request, whether that's employees or just other people, prospects that you hold data on, but if the request from an employee is manifestly unfounded or excessive, then you can seek to charge them or refuse to act.

Now, data subject requests are subject to the principles of proportionality, so if it's a really serious matter, then the Information Commissioner is going to expect you to put a lot more effort into finding the relevant bits of data than if it's a spurious vexatious claim, and they're just trying to waste the time of management or whatever, so it's got to be subject to the principle of proportionality. Just I'm not sure that anybody would do this, but just in case, it is an offense to alter or erase information with the intention of preventing disclosure, so don't be tempted to, if there's any sort of discriminating information in chains of emails, then don't be tempted to alter or erase those, the bits of information in those emails.

Now, the other point on subject access requests is that you need to be careful when you're replying to them about not disclosing personal data about another individual, so another employee, unless that other individual has consented to you disclosing it or it's reasonable to disclose that information without the consent... Excuse me, without the consent of the other individual. One second while I have a sip of my tea. What do I mean by that? Well, for example, say you've got an email from somebody's supervisor about an employee who's not been performing well, and he talks about the fact that he's always late or refers to a conversation that the supervisor had with the employee. Then even if you were to redact, redact just means black it out so that the employee can't see it, but if you were to redact the name of that individual, the employee would still potentially be able to identify the supervisor from the content of that email, so arguably you wouldn't have to disclose that information because you would be disclosing personal data about another individual.

What I would say about subject access request is, if you do get one, no, these are the important things for you to know, number one, take them seriously. Okay? You can't just try and forget about them, hope it goes away, try and just fob the employee off. You can't sit on it for months. You have to actually provide the information within a month, unless it is overly burdensome, in which case you can write to them and explain reasons for the delay, and you can have another two months to provide the information, but typically, you must reply to them within a month. If you get one, don't sit on it and on the 29th day think, "Oh, my goodness, I remember this. Suzanne said that we've got to deal with this within a month. I'd better get on to it," because it will be too late.

If you get one, the first thing I would do is speak to your lawyer or possibly an HR advisor about how you appropriately reply to that data subject request, because there's also, on a state-by-state basis there are exemptions from a subject access request. In the UK, for example, you wouldn't need to disclose management forecasting or management planning, so for example if you had a redundancy planned, then you wouldn't need to disclose that information as part of the subject access request, because it would be detrimental to the rest of the workforce, so if it hasn't already been announced to the rest of the workforce, and it's just that management is looking at the pros and cons of a redundancy process, you wouldn't have to disclose that. That's under UK law, and that's just one example of an exemption from the subject access request, and there's a number of them.

Another example is legally privileged documents. Okay, so it's not straightforward typically, so I would always say to you, number one, if you get a subject access request from an employee, take it seriously. Get in touch with somebody who can help you decide what information you should rightly disclose as part of that subject access request, and remember that you need to respond to that within a month, so don't sit on it forever and decide to do something on the eleventh hour, because it will probably be too late by then.

Yeah. In addition to that, the other thing I just want to flag with you, I don't want to give you too much information, because it will probably go over your heads at this point in time, I just want to highlight the things that you need to be thinking about, but aside from that, aside from working out what you can actually disclose and what you can't, when you respond to a subject access request, you need to provide certain information. There's a fair amount of that information that you need to provide, so what I'm going to be providing in my GDPR Pack is a checklist for what you need to be providing within that pack. Sorry, within that response to the request, and that will be with all the other employee GDPR stuff, so there'll be the employee privacy declaration that we talked about before.

There will be a form of data subject access request that you can use for employees to actually submit their request on, and there'll be a template for your response, but the area that I can't really templatize for you is deciding what data you can disclose and what you can't. What I will include is a fact sheet on that, but the thing to be aware of is that the exemptions may change. In fact, they're not certain at the moment, because it's part of the Data Protection Bill, which has not yet come into force, so I think the thing to be cognizant of is the fact that there are certain exemptions, and you just, if you are faced with a request for information from an employee, then ask somebody about it.

If you're in my elite membership of my Small Business Legal Academy, that's the kind of thing that you could ask me. It depends on the scope of the information that you've got about the employee. Obviously, if you've got lots of information, and it's a big job to sift through all that, you might want to get somebody in who can actually sit there in your office with you and help you go through all that.

Okay, so that's all I wanted to say about employee data subject requests. The key things to take away from that are, take them seriously. Act on them straight away, because you've only got a month to reply. Work out what data you're actually holding on your employee data, and then speak to somebody who is familiar with this type of thing in terms of working out what you actually need to disclose. Make sure that you provide the right information when you're sending that response back, and just be conscious of the fact that there are quite a lot of exemptions on a state-by-state basis. When I say "state-by-state" I mean European states, countries. If you're in Poland, there's going to be different exemptions to if you're in the UK, for example. Be conscious that there are these exemptions that you don't have to say... For example, you wouldn't want to disclose legally privileged information to an employee, yeah, so just make sure that you're talking to somebody who knows what they're doing to get advice and guidance on what you should actually disclose as part of that process.

Okay, any questions? We nipped through that quite quickly, didn't we? Half an hour on the dot. Elizabeth said, "What's the position with interviewee information? What is the procedure for the information gathered from interviewees who are not successful in securing a position?" Okay, so typically, you can only retain data for the purpose for which you have obtained consent, for example. With interviewees going forwards, if you want to keep it on file, and typically that's what at the moment you would say to an interviewee, "Oh, would you like us to keep your details on file if something else comes up," and typically they'd say yes.

If that's the case, then you need to build that into your application form and have a box on there that says, "If you're not successful with this particular position, would you like us to keep your information on file in case future opportunities arise?" Make sure the wording is all legal, if you like, and have that on there and get them to tick the box, ideally to sign the application form if that's possible, or an online signature, or some kind of positive tick for that, and that should, that then will mean that you can, that you've got their consent to actually get back in touch with them if something does arise. I assume that that's the reason for your question, Elizabeth. If it's not, then pop that into the chat box.

Okay, so any other questions? Otherwise, I think we'll leave it there. It's a Friday, and I've got a cake sale to get to. I'm being a little bit controversial and taking fruit skewers to my cake sale, so whether I will actually sell any or not is another matter. We'll see. Suzanna says, "How long would you be able to hold the data in this instance? I'm thinking from the point of view of a recruitment agency client."

Yeah, the GDPR doesn't actually give any fixed deadlines on how long you need to hold the data. It's really for as long as you need the data to... You can't hold it for any net any longer than is necessary to fulfill the purpose, so if the person is 60, and you have a policy of not taking on people over 65, then in theory at age 65 you should destroy that data because it no longer usefully serves that purpose. Okay? But there's no fixed ... GDPR-wise, there is no fixed dates as to how long you need to hold the data for. Obviously, there are the laws out there as to how long you need to keep things, so, for example, tax records and things like that, and indeed contracts you would want to keep for six years, because that's limitation period, but the GDPR itself does not specify how long you should or shouldn't hold data for.

Emma says, "I'm sure you will sell some. My daughter doesn't like cake." Yes, well, the reason I do it actually is, there's quite a lot of children who allergic in some form to normal cakes. They're dairy-free or they're gluten-intolerant or whatever, and I always feel very sorry for these poor children, so I thought, "Oh, I'll do some nice fruit skewers and see if they go down well."

Okay, any other questions before we wrap it up? Okay. Super. Super, super. Well, thank you for joining me, ladies and I think one gentleman who I think disappeared halfway through, but thanks for joining us at the start, Chris, and have a brilliant weekend. Now, I think I committed to doing a Facebook Live every day. I'm not sure if I meant every working day or every day, so we'll see how the weekend pans out and whether I might actually just do some videos tomorrow. I might do that, do a couple of quick videos now and then post them in the group tomorrow because we've had a lot of questions in the group that I can pick up on. Oh, Sophie, Sophie from The Hunger Project, lovely to see you. Thank you for joining. Excellent.

Good. Okay, well, hopefully, that clears things up on employee data. If you've got any further questions about that, then do post in the group. I'll be doing, as I say, I'll be doing a Facebook Live for how to deal with the data of freelancers, because I know that a lot of you in the group will be working with freelancers, but otherwise, thanks for listening. Have a wonderful weekend, and I'll see you next week.