It is one year into the GDPR regime but what are the next steps for organisations? We discuss the developments over the last year, the lessons to be learned and what priorities employers should concentrate on next.
Siobhan Bishop: Hello and welcome to our Podcast on GDPR. We are discussing where we are now, one year on from the General Data Protection Regulation being introduced, where the key risks lie and what employers should be focusing on for the next 12 months.
I am Siobhan Bishop, a Principal Associate in the Employment, Labour & Equalities Team here at Gowling WLG and I am joined by Alice Loughney, an Associate in our Team.
It is one year into the GDPR regime and for the purposes of this Podcast we are working on the basis that employers have already completed the most basic steps, so done the relevant audits and have put in place privacy notices and policies and what we are going to look at now is what developments there have been over the last year and where employers should concentrate their efforts for the coming year. So Alice, let's look back first on what the Regulators across Europe have been focusing on so far and what lessons these lead to for employers and how they can learn from this.
Alice Loughney: A lot of the activity so far both EU-wide and in the UK has not been directly related to employment data and many of the cases that have started since GDPR came into force is still working their way through the tracks.
I think from what we do know, we can draw out three key themes for employers in the coming year. This is based on where the focus has been so far and also where the ICO (the UK regulator) has said its strategic priorities are going to be for the year to come. The three key themes for employers to look at the in the next year are:
- Handling personal data breaches;
- Responding to data subject access requests or DSARs; and
- Automated decision making
Siobhan: Thanks Alice. So looking first at one of those key priority areas, handling personal data breaches, what developments do you see there?
Alice: One of the main challenges for employers is that under GDPR you have to act really quickly in the event of a data breach. The obligation is to report any notifiable breaches as soon as possible and within 72 hours. Even if you don't have all of the facts, you still have to go to the regulator as soon as you know that something has happened. If that is not possible, for example if someone sat on a breach or you have not become aware of it under after 72 hours have passed, you need to be prepared to explain yourself to the regulator. So it is really important to make sure staff understand the urgency and recognise a breach when it happens.
The ICO has recently published that there has been a huge increase in the number of notification of breaches since GPPR came in. The regulator has said that it sees that as positive as it shows employers engaging with their obligations, but it has also said that many of those breaches probably were not notifiable and it recognises that organisations need some more guidance on when breaches should be notified to the regulator.
So look out for that guidance in the coming year, but in the meantime I think I would recommend erring on the side of caution: if there has been a breach, it is probably best to assume it is notifiable to the Regulator.
Of course in this area, you also need to watch out for civil liability because when there has been a serious data breach, individuals who have been affected may bring claims against you as an organisation through the Courts as well as any regulatory action that you may face.
Siobhan: One of the key messages here is to have in place robust procedures that allow employers to act confidently and quickly in response to any potential breach.
Siobhan: OK so the next key area that we are looking at is data subject access requests. What are the key messages from this area?
Alice: Data subject access requests are not anything new under GDPR. Most HR teams will be very used to responding to these, but I think since GDPR came in, we have certainly seen a huge increase in the number of requests coming in. They are pretty much a matter of course in employment litigation now and also as part of exit negotiations and sometimes during particularly messy grievances.
One of the key changes under GDPR is that data subjects are entitled to ask not just for a copy of their data but also other information about how it is processed: for example, who has access to it, retention periods. We are seeing more and more subject data requests containing requests for that information as a matter of course in the initial letter that you receive asking for data, Cynically perhaps that might be to make it even more time consuming for an employer to respond. If the request is made as part of negotiations, it maybe puts more pressure on the employer to reach a deal that is favourable to the employee.
Most of that additional information should be contained in your privacy notices so if you spent some time making sure that they are thorough and GDPR compliant, you can save yourself some time in re-inventing the wheel every time you get a DSAR in, requesting that additional information.
Siobhan: And given the volume of data that is now held electronically, would you recommend employers use automated or electronic solutions to respond to the increasing number of DSARs?
Alice: Yes I think if the organisation has the resources, as more and more data is stored electronically, it is likely to become a necessity to have at least some electronic assistance in finding and sifting the data.
One development to watch out for over the coming year is an investigation by the Austrian data protection regulator (their equivalent of the ICO) It is looking into eight companies who have introduced electronic solutions for responding to DSARs. Mostly these are big householdname technology companies such as streaming services who presumably had considerable resources to invest when they put these solutions in place. The complaints were orchestrated by a privacy rights campaigning organisation called None of Your Business. The allegation made by this organisation is that the electronic solutions put in place were deficient in different respects and none of them fully complied with their obligations under GDPR. For example many of them only provided data subjects with access to the raw data and not the other information which they were entitled to request, such as who the data is shared with or retention periods.
Siobhan: Thank you. That is really interesting and we will see how that develops.
We are looking forward now to what is coming down the tracks and also linked with one of the important areas, especially that you have just highlighted on artificial intelligence and the adoption of automated solutions. How much progress and what developments are we seeing in that area?
Alice: The use of artificial intelligence sounds quite futuristic but it is becoming more and more prevalent in the HR world and I think particularly we are seeing this in recruitment. The ICO has published that it is going to be focusing on artificial intelligence over the next year as one of its eight top strategic priorities, so it is vital to make that you are comfortable that what you are doing or planning to do in this area stays on the right side of the law.
Under GDPR, decisions which are taken solely on the basis of automated processing on the face of it are banned, unless you can bring yourself within one of the exemptions set out under GDPR if those decisions have a legal or other significant effect on an individual. I think almost all employment decisions will have such an effect.
So an example of a decision which would be solely automated would be if you had, say, a piece of software which sifted through applications for a job and sifted out those with less than a certain number of years of experience. On the other hand a decision which would involve a human review (and therefore not fall within these provisions) would be a process which sorted CVs into piles for a human reviewer to then look at and decide who to interview.
Importantly, if you are carrying out automated decision making, even if you fall within an exemption, the individual who was subject to that decision can require a human review and, in almost all cases, you should also be carrying out a data protection privacy impact assessment. That is something I would recommend more generally anyway whenever you are introducing a new process or considering something out of the ordinary that involves processing data, because it makes sure you have thought through the potential impact in a structured way and that you can evidence that you are compliant with GDPR.
Siobhan: Thanks Alice and another question focusing on the future is what is going to happen to GDPR in light of Brexit?
Alice: Well on "Brexit day", although GDPR is an EU Regulation, it does not mean you can rip up your privacy notices and stop complying. The data protection obligations contained in GDPR will be enshrined in UK law and the ICO has already said that the existing guidelines it has published will continue to apply.
Where there is a bit more uncertainty through is the movement of data between the UK and other EEA countries. In an employment context that is likely to be part of day to day working life if, for example, you have reporting lines which cross borders with EAA countries or you may have shared services or outsourced functions in another country. In that case the steps that employers need to take to minimise the impact of Brexit on their day to day operations will depend on whether there is a deal and if so what is agreed. So there is still quite a bit of uncertainty and I think a really important part of planning for Brexit is to make sure you know where employee data is currently crossing borders.
Siobhan: Many thanks Alice for those insights and especially the recommendations on what priorities employers should focus on in terms of complying with the GDPR in the coming year.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.