One year of GDPR: staying on the right side of the regulations
We are now one year into the new, tougher data protection regime under the General Data Protection Regulation (GDPR). Brexit or no Brexit, these rules are not going away any time soon. This article takes us through what the first year has taught us and provides a checklist to help employers continue to comply.
New regulations ensure that the GDPR will still be in force in the UK after the UK leaves the EU. If you just operate within the UK, there will be little change. However, if you transfer personal data to or from Europe, things may change depending on the terms of the UK’s exit. The Information Commissioner’s Office (ICO) has further guidance and resources on Brexit.
Reporting data protection breaches
You are now required to report to the ICO any data protection breaches, such as an unauthorised disclosure of an employee’s personal data to a third party that presents a risk to an individual. We can help you assess whether you need to report any breaches.
Enforcement and fines
When the GDPR came into force, enhanced powers were given to the ICO to enforce data protection law, including the power to impose fines of up to €20 million or four per cent of worldwide turnover, if higher. Individuals can also receive compensation for distress caused by a data protection breach. Other than in relation to the data protection fees, cases under the new law are yet to come through the system so it is too early to see the level of damages that will be awarded. However, increased awareness of data protection rights, coupled with the obligation to report some data breaches to the ICO, makes it likely we will see increased numbers and levels of fines.
Employer liability for ‘rogue’ employee’s data breaches
The 2018 Court of Appeal case in Various claimants v WM Morrison Supermarkets plc was the first group action for a data protection breach. Over 5,500 employees brought a claim against their employer Morrisons after a vindictive data breach by a senior IT auditor. The auditor, who had a grudge against his employer disclosed the personal data of nearly 100,000 of his co-workers online. Even though he wanted to cause harm to his employer, and he disclosed the information from home outside his working hours, Morrisons was still liable for the disclosures. Although the facts of this case were unusual and there was probably little more that Morrisons could have done to protect its employees’ data, it shows the extent to which employers can be liable.
Morrisons is appealing to the Supreme Court against this decision. However, the courts are increasingly finding employers liable for the acts of their employees.
ICO action against employees
Many employees may not properly understand their individual responsibilities under data protection law. Just having a data protection policy is not enough; employers must train their staff, continue to remind them of their responsibilities and make breach of data protection law a serious disciplinary offence. Even if there is no claim against the employer, the ICO’s reports name the employer, so reputational damage is unavoidable.
We can advise you on how and when you can lawfully monitor your employees’ emails to protect the personal data that your employees can access.
Here are a few examples of actions by employees that have landed them in a criminal court:
- a GP practice manager was fined for sending an email to her personal email account, which contained CVs and personal details of job applicants;
- a trainee secretary at a GP practice was successfully prosecuted for reading patient files, apparently because she was bored at work; and
- an administrator at a used car dealership was fined for forwarding work emails, which contained information about customers and colleagues, to her personal email account.
Checklist to help compliance
Data protection is an ongoing responsibility. The likelihood and consequences of enforcement action are much more significant under the new regime. Here are a few areas to think about to ensure you are complying:
- Are your privacy notices still valid or do they need updating to cover all the purposes for which you process employees’ personal data?
- Do your privacy notices cover everyone in your workforce? Do not forget any workers and contractors, as well as employees and job applicants.
- If you have a data protection policy, does it still cover all the personal information you handle, your activities and requirements?
- Does your induction process for new staff include up-to-date data protection training? Does it spell out the individual’s responsibilities and the importance of handling personal information lawfully?
- Are you hanging on to personal data longer than is necessary? When should you delete information about unsuccessful job applicants and employees who have left?
- Have you updated your contracts of employment to reflect your policy and practices?
- Is it time to remind managers of their responsibilities in regard to employee data? For example, could they spot a request for a subject access request if they received one?
- Have you kept records to show your compliance with the GDPR?
- Have you carried out data impact assessments, for example if you have introduced CCTV in the workplace?
- Do you share any employee personal data with a third party, such as a payroll provider or an organisation with whom you are collaborating? If so, have you got appropriate agreements in place? You may be liable for data breaches by a third party.
- If you are a service provider who receives personal information about your client’s employees, have you worked out if you are acting as a controller, processor or joint controller? Do you understand your obligations?
- When staff leave, do you have a process for ensuring their personal data is removed from your website and your business’s social media accounts?
- Finally, it is never too late to become compliant. An audit of personal data is a good starting point.
For help with becoming compliant or checking you are still compliant with data protection law, please get in touch.
This article is for general information only and does not constitute legal or professional advice. Please note that the law may have changed since this article was published.