Unlike some changes for HR practice which might require the amendment of an existing policy or perhaps the drafting of a new policy, this was no simple compliance exercise and required substantial work at the time to comply with both the new requirements of GDPR and of the new Data Protection Act 2018 ("the Act").
With our new data protection regime being 6 months old as of last month, what can we say that we have learned from our experience so far?
Here are some tentative observations offered from the perspective of an employment lawyer (and data protection geek) advising clients on the new legislation to date.
1. Compliance is an on-going exercise
Most employers will have ensured that, prior to GDPR coming into force, their core building blocks of compliance were in place, including Privacy Notices for staff, job applicants and others, Privacy Policies setting clear internal data protection standards for staff to follow, revising contracts with data processors and amending contracts of employment.
However, as we know, compliance does not stop there and further work is necessary in order to meet some of the additional requirements. To take an obvious example, many employers will be relying on "legitimate interests" to justify aspects of their data processing, but may not yet have carried out legitimate interest assessments (LIAs) to determine if their use of legitimate interests is justifiable. This is important given the accountability principle which requires an employer to be able to demonstrate its compliance.
Another area employers might need to consider is whether they have in place a record of their data processing as required by Article 30. This applies to all data processing for employers with more than 250 employees but applies also to smaller employers in respect of processing special category data (including health information) and criminal record information.
Note also that Part 4 of Schedule 1 of the Act applies additional safeguards and requirements to the processing of special category data and criminal record information, including that an "appropriate policy document" be in place explaining the employer's procedures "for securing compliance with" the GDPR principles in Article 5.
Beyond core documentation, implementing staff training on GDPR requirements will be vital, to ensure that standards put in place are actually being applied in practice and to minimise the risk of data breach incidents.
Much of GDPR relates to the need for ongoing GDPR compliance and vigilance, whether this relates to changes in data processing or to the need to assess the privacy implications of new systems, technology or software. These considerations should be at the forefront of any new projects with a potential impact on staff privacy.
2. There has not been a "floodgates" of increased exercise of individual rights
While it stands to reason that the scrapping of the £10 fee to make a subject access request will lead to a higher level of such requests over time, the first six months of GDPR does not appear to have yet resulted in significantly more individuals exercising their rights.
In practice, it continues to remain more likely than not that such rights will be mostly exercised by individuals in situations where there is either an existing dispute with their employer, or where there is a specific concern over particular data processing. Ensuring compliance with the principles and requirements through a robust culture of data protection will, of course, be key to minimising the number of individual challenges that are likely to arise
3. The ICO is taking a pragmatic approach
In the lead-up to GDPR, the ICO was at pains to play down the significance of the new maximum fines soon to be at its disposal. It promised to continue to take a pragmatic approach to using its powers and where possible look to encourage compliance and good practice, with formal enforcement powers used as a last resort or for serious breaches.
This appears to have been borne out in practice so far. The ICO website and helpline strive to offer useful and practical advice on complying with the requirements of the new legislation. There is no evidence of the ICO taking a robust approach to non-serious issues and there is most likely a practical appreciation by the regulator that the changes to the data protection regime will take time to embed itself within everyday practice.
Since there tends to be a gap in time between data breaches taking place and regulatory fines being imposed, we are yet to see the ICO imposing a fine under its new powers. However, imposing the maximum fine of £500,000 on Facebook in October this year for its breaches of the previous legislation (for misusing data analytics for political purposes) the Commissioner noted had GDPR been in force the fine imposed would have been significantly higher. While very substantial fines can certainly be imposed, it seems likely these will be reserved for the most egregious breaches of data protection, in particular, serious data security breaches, which have consistently attracted significant fines.
4. We need more employment-specific guidance
Although the Guide to the GDPR published by the ICO continues to be updated and is an invaluable source of information, there are a number of areas where further guidance would be welcome.
In particular, specific guidance on complying with the requirements of the Data Protection Act 2018 in relation to the processing of criminal record information would be helpful, given the lack of clarity surrounding the existing requirements.
One of the potential lawful grounds of processing, for example, is where an employer can show that such processing is necessary for the purpose of performing or exercising obligations or rights imposed or conferred on the employer in connection with employment. While certain roles as a matter of law require or entitle criminal record checks to be undertaken, it is not fully clear how far this condition might permit other (voluntary) checks to be carried out or whether consent needs to be relied upon here (itself not favoured by the ICO within employment, save as a last resort). It is understood the ICO is working on such guidance which hopefully will provide welcome clarification in this area.
More generally, many employment lawyers and HR professionals familiar with the previous Employment Practices Code and the Supplementary Guidance regularly referred to that guidance as providing a practical roadmap to complying with the former requirements of the Data Protection Act 1998 specifically in the employment context. It is to be hoped that the ICO will update this very detailed guidance in due course for employers to follow and make translating data protection requirements into HR practice that bit easier to understand. Until such time, while some of the guidance within the Code still remains useful, it all unfortunately needs read subject to the changed GDPR requirements.
In short, it can perhaps be said that while the introduction of GDPR has not yet led to any worst fears being realised, it is likely to remain the case for many employers that there is ongoing work to be done and a continuing need to minimise risk where possible.