Making sense of GDPR, six months on

What are the tricky issues employers are grappling with following the introduction of new data protection rules? Michelle Lawlor-Perkins reports

With potential fines of up to €20 million or four per cent of annual worldwide turnover for breach of the General Data Protection Regulation (GDPR), the stakes are high for employers to understand the new regime and act accordingly. These include:

1 Subject access requests

GDPR has made subject access requests (SARs) easier. Previously, employees had to pay £10 and employers had 40 days to respond. Now the £10 has been waived (unless the request is ‘manifestly unfounded or excessive in particular because of its repetitive character’, in which case a ‘reasonable fee’ can be charged). The 40 days has been reduced to ‘as soon as possible’ and, in any event, within one month (although this may be extended for a further two months for complex requests). As a result, and no doubt due to increased public awareness, we have seen an increase in the number of SARs received, although that may also be related to the abolition of employment tribunal fees. The reduced response time places a greater burden on employers. However, the Data Protection Act 2018 (DPA) provides some exemptions to the information individuals can have access to. 

2. New additional rights

As well as SARs, employees can also now request personal data be erased, for example if it were no longer considered necessary for the purpose for which it was originally required. They could also ask the employer to rectify and update any inaccurate or out of date personal data, ask for processing to be restricted, or object to processing on certain grounds. However, as long as the employer has not used consent as the lawful basis for processing (which is generally not applicable to employees or job applicants), it may be able to reject such requests and cite other lawful grounds for continuing to process the data. For example, employers would not want to have to erase disciplinary warnings and records. 

3. Difficult areas

Some employers are still struggling with ‘special categories’ of personal data and information about criminal convictions. For both these, employers must identify an additional lawful condition (either under the GDPR or the DPA) for being able to process the information. For ‘special categories’, an employer must have an Appropriate Policy Document, explaining:

  • its procedures for complying with key principles in reliance on the additional condition; and

  • its policies with regard to retention and erasure of such data in relation to the additional condition. 

The ICO has yet to confirm whether this must be a stand-alone document (as the DPA suggests) or could be a combination of documents, but the requirement should not be ignored. 

Helpfully, in conjunction with the Information Commissioner’s Office (ICO), Unlock has now published guidance on how employers can ensure they are acting lawfully when asking for and processing information on criminal convictions. Long gone are the days of blanket criminal conviction questions for job applicants and again, consent as a lawful basis will not usually be valid. 

Practical steps 

While we await further clarity from the ICO and test cases, employers should review (or start preparing) privacy notices for job applicants, staff and former staff; an appropriate policy document; update staff policies, including data protection and IT policies; and train staff on the new regime.

For SARs:

  • Ensure staff know how to recognise a request (requests can be made orally or in writing).

  • Consider whether you need to provide the information that has been requested or an exemption applies. 

  • Keep a centralised log of requests to automatically calculate the response date.

  • Scope the extent of each request upon receipt – if it is particularly complex, consider notifying the employee of reasons why an additional period will be required to respond.

  • Narrow down the search by requesting further information from the individual.

  • Request identification – the clock starts to run when you have received what you need to verify the individual’s identity.

Michelle Lawlor-Perkins is a senior solicitor in the employment law team at Blake Morgan LLP