We are now one year into the new, tougher data protection regime under the General Data Protection Regulation (GDPR). Richard Porter, employment law expert with Thompson Smith and Puxon in Colchester and Clacton takes us through what the first year has taught us and provides a checklist to help employers continue to comply.
There was a genuine hype and sense of fear when the GDPR came into force, however, the sky did not fall in and there was a sense of a repeat of the panic around “Y2K”. That’s not to say, however that these rules have teeth and they are here to stay.
The regulations ensure that the GDPR will still be in force in the UK when (or if) the UK leaves the EU. If you only operate within the UK, you will not notice any changes. However, if you were to transfer personal data to or from Europe, things might be different depending on the terms of the UK’s exit. The Information Commissioner’s Office (ICO) has further guidance and resources on Brexit.
Reporting data protection breaches
You are now required to report to the ICO any data protection breaches, such as an unauthorised disclosure of an employee’s personal data to a third party that presents a risk to an individual.
We can help you decide whether you are under a duty to report a breach.
Enforcement and fines
Enhanced powers were given to the ICO to enforce data protection law including the power to impose fines of up to €20 million or four per cent of worldwide turnover if higher. Individuals can be compensated for any distress caused by a data protection breach.
Cases under the new law are yet to come through the system so it is still too early to assess the level of damages that might be awarded. However logic dictates that increased awareness of data protection rights, coupled with the obligation to report some data breaches to the ICO, makes it likely we will see increased numbers and levels of fines.
Employer liability for ‘rogue’ employee’s data breaches
The 2018 Court of Appeal case in Various claimants v WM Morrison Supermarkets plc was the first group action for a data protection breach. Over 5,500 employees brought a claim against their employer Morrisons after a vindictive data breach by a senior IT auditor. The auditor, who had a grudge against his employer disclosed the personal data of nearly 100,000 of his co-workers online. Even though he wanted to cause harm to his employer, and he disclosed the information from home outside his working hours, Morrisons was still liable for the disclosures. Although the facts of this case were unusual and there was probably little more that Morrisons could have done to protect its employees’ data, it shows the extent to which employers can be liable.
Morrisons is appealing to the Supreme Court against this decision. However, the courts are increasingly finding employers liable for the acts of their employees.
ICO action against employees
Many employees still do not fully understand their responsibilities under data protection law; merely having a data protection policy is not enough. Employers must train their staff, continue to remind them of their responsibilities and make breach of data protection law a serious disciplinary offence. Even if, ultimately, there is no claim against the employer, the reports from the ICO’s office carry the names of those investigated; one’s reputation is on the line.
The following are examples of actions by employees that have landed them in a criminal court:
• a GP practice manager was fined for sending an email to her personal email account, which contained CVs and personal details of job applicants;
• a trainee secretary at a GP practice was prosecuted for reading patient files, apparently because she was bored at work; and
• an administrator at a used car dealership was fined for forwarding work emails, which contained information about customers and colleagues, to her personal email account.
Checklist to help compliance
Data protection is an ongoing responsibility. Consider the following:
• Are your privacy notices still valid or do they need updating to cover all the purposes for which you process employees’ personal data?
• Do your privacy notices cover everyone in your workforce? Do not forget any workers and contractors, as well as employees and job applicants.
• If you have a data protection policy, does it still cover all the personal information you handle, your activities and requirements?
• Does your induction process for new staff include up-to-date data protection training? Does it spell out the individual’s responsibilities and the importance of handling personal information lawfully?
• Are you hanging on to personal data longer than is necessary? When should you delete information about unsuccessful job applicants and employees who have left?
• Have you updated your contracts of employment to reflect your policy and practices?
• Is it time to remind managers of their responsibilities in regard to employee data? For example, could they spot a request for a subject access request if they received one?
• Have you kept records to show your compliance with the GDPR?
• Have you carried out data impact assessments, for example if you have introduced CCTV in the workplace?
• Do you share any employee personal data with a third party, such as a payroll provider or an organisation with whom you are collaborating? If so, have you got appropriate agreements in place? You may be liable for data breaches by a third party.
• If you are a service provider who receives personal information about your client’s employees, have you worked out if you are acting as a controller, processor or joint controller? Do you understand your obligations?
• When staff leave, do you have a process for ensuring their personal data is removed from your website and your business’s social media accounts?
• Finally, it is never too late to become compliant. An audit of personal data is a good starting point.
For help, advice or training on GDPR or any other employment law issue, please contact Richard Porter or Jolyon Berry in the Employment team on 01206 574431 or by email email@example.com or firstname.lastname@example.org. Thompson Smith and Puxon has offices in Colchester and Clacton , Essex.