Yesterday morning, we held our ‘GDPR: A Guide for Managers and HR Professionals’ webinar to help with preparation for the upcoming new EU data legislation.
At the end of the webinar, our host Ed McFarlane fielded a selection of questions from the audience on any GDPR queries and concerns that may affect them. Below is a revised transcript of the questions, along with Ed’s answers for your reference.
For existing employees, do we need to give them the opportunity to consent to us holding the data we already have about them? Is there a form or something we need to get everyone to sign?
With your existing employees, it’s more a matter of informing them that you are processing data and informing them of the basis for it. Rather than asking them to ‘agree’, you should let them know that you are processing their personal data so they can then exercise their rights should they wish.
It’s better to declare in writing what you’re doing and why you are doing it. We are providing letters for our clients so they can inform their employees of the intention to process their data, as part of our GDPR compliance assistance.
Is there already a legal limit for how long we can store customers’ data?
Holding customers’ data generally depends on consent. For example, if they’re on a mailing list they should have consented to being on it, so will just have to send an email or click a link to say “I want you to erase my data”.
If the customers are individuals, they have data subject rights. Corporations don’t, although an individual at a corporation with identifiable data such as a customised email address would also count as an individual and may have rights in respect of that data.
If you have an ongoing relationship with a customer, you could store some of their personal data on the basis of the performance of a contract and for your legitimate interests. If that person leaves the company, you should delete their data.
If we store our employees’ personal data on a cloud server and it gets stolen, would we be held responsible?
I would probably say yes, because you’re the data controller, and the one who determines the ways and means by which the data is stored. However, if you’ve taken steps to use a reputable provider – and if there were measures in place to report significant data breaches – the chance of enforcement action would probably be low.
The Information Commissioner’s Office (‘ICO’) do know that these things happen, and they may be looking more closely at the cloud provider for not having had sufficient controls in place. The speed in which you report it may be a factor, but hopefully they should have top notch security to prevent these things from happening. The ICO takes a view that they want to help businesses rather than simply use a ‘big stick’, and if you’ve acted responsibly, you would be in a better position.
Should we send anything to employees before May, or is it just a case of updating contracts, handbooks and relevant policies?
We think it would be helpful to just send a letter out explaining what you’re doing for existing employees, and updating contracts, handbooks and policies as well. Simply explain the basis for which you’re processing personal data. That should be enough as most data processing with employees is not about what is in their contract, but rather the existence of the employment gives rise to the bases for processing data.
Do we need to give all employees a data privacy notice? If so, what does this look like?
A data privacy notice is often something that you would have on your website. It would depend on what data you’re processing, but a data privacy notice would be about informing data subjects to ensure that you meet their right to be informed. As mentioned earlier, we’d recommend sending a letter to your employees to explain why you’re processing their data and the bases for that processing.
We’re an SME and our CEO is currently our Data Protection Officer. We don’t think we need a DPO as per GDPR, as the regulations seem to say a CEO wouldn’t be a suitable person. Can we still designate a senior individual who is responsible for information governance in the organisation, but not quite in the sense of the GDPR DPO?
It all depends on the facts of each individual case. The Information Commissioner has said that someone who has influence at board level would be a good appointment as a DPO, as they would be listened to and their recommendations acted on by the board. There may not be a need to create a specific post for a DPO, but to ensure that the function exists, which may often fit well with Finance or HR. So designating a senior individual is likely to be a good step towards GDPR compliance.
Am I right in thinking that GDPR also requires controllers to specifically consider the interests and rights of children? If we hold data on children, does it suffice to have parents or guardians give permission to hold their data? This is in regards to young people that are doing work experience with us from various schools over the next few months.
Thirteen is the age when you are generally considered to have your own rights under the Data Protection Act, and below that it would require the parent or guardian’s consent. Legitimate interests would be the basis for processing children’s data. Generally, children’s data protection rights are at the edge of our HR Services, but there may be areas of overlap, and the particular situation will need looking at.
Processing data relating to children requires particular care, because children’s’ personal data is given special protection by the regulations. The new Data Protection Act will have more to say on that, but it’s still moving through Parliament so we’ll know more in future.
For work experience, parental consent is needed and the data limited to contact details and vital interests as they wouldn’t be working for you as employees.
As an HR consultancy firm for SMEs, would each SME have to gain consent from employees to pass their personal data to us for contracts etc.?
People need to be informed that you are processing their data, and the basis on which you are doing it. The basis in this case would be for legitimate interests.
If the employees object to the data processing, you would say that you’re not processing it on the basis on consent, but on the basis of legitimate interests, or for fulfilling contracts and legal obligations. Any data processed would have to be necessary for those reasons though, for example knowing someone’s age so they can be paid the right rate of the National Minimum Wage.