23 March 2018
The GDPR: Enhancing Employees’ Data Rights
The exponential growth in communication of personal data have brought with it increased risks of breaches of privacy and data rights. Anxieties regarding personal data and who is doing what with it, has intensified with the growing storm surrounding Cambridge Analytica and Facebook.
In the workplace, the data protection landscape will be transformed on 25 May 2018, when the EU General Protection Regulation (GDPR) comes into effect. This will result in greater control over your personal data, a strengthening of your rights and an improved range of options to seek legal redress.
If you have a problem at work it may be that these new data protection laws can help you.
What do I need to be aware of with the introduction of GDPR as an employee?
The GDPR introduces a single legal framework that applies across as EU member states. Up until Brexit, the UK will need to comply with the GDPR and under the proposed European Union (Withdrawal) Bill the GDPR will remain UK law but it could be amended thereafter. In connection with the GDPR, a new Data Protection Bill has been introduced to Parliament, which will amongst other things, implement permitted derogations into UK law and repeal the Data Protection Act 1998.
Employees should be aware that there will be big changes to personal data rights from 25 May 2018, to their benefit.
A wide definition of personal data
The GDPR definition of ‘personal data’ is much wider than the definition under the DPA – "any information relating to a data subject". This means that even an IP address, can be personal data. Whereas what amounts to personal data is largely a question of context, given technological developments in the way organisations collect information about people, new forms of personal identifiers are likely to be personal data.
A requirement for a legal basis for processing data
There are six lawful bases for processing data, such as where there is “consent” and where processing is “necessary” for certain purposes, but if that purpose can be achieved in some other way, your employer may not be able to rely on that base.
A higher level of consent
The GDPR requires a much higher level of consent to process your personal data than under the DPA. The GDPR defines consent as, “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. It is therefore unlikely that consent clauses in existing contracts of employment can be relied upon by employers given the imbalance of power in an employment relationship. Consent can also be withdrawn at any time. Any declaration of consent should also be in an intelligible and easily accessible form and use clear and plain language, so burying it in an online form that requires some mental gymnastics to understand is likely to be inadequate.
Where your data is sensitive, known as Special Category Personal Data (this includes data revealing for example: racial / ethnic origin, political opinions, religious or philosophical beliefs or data concerning health, genetic and biometric data) an additional specific condition is required, such as “explicit consent”.
A new duty to be accountable
This will require employers to have policies in place and retain documents which can be provided to a supervisory authority on request. Where there is a dispute, for example if your employer fails to keep your personal data secure, (e.g. it is copied and used by a rogue employee), there is likely to be more documentary evidence available as to what measures to protect your data where implemented.
Delete it, freeze it, correct it
The GDPR package of rights include the right to erasure (be forgotten), the right to rectification and the right to restrict or object to processing. It seems likely that these rights will have greater significance for employees, particularly where personal data is not accurate or kept up to date and a consequence of that is damage to the employee. The employer will also have an obligation to inform a third party the employee has requested erasure of personal data.
Infringements of data subject’s rights will now result in fines of up to 20,000,000 EUR or 4% of the total worldwide annual turnover. This has increased the stakes massively and is likely to present an employee with sustainable GDPR breach concerns with significant leverage in negotiations.
Improved rights of access to personal data
Subject access requests for personal data are commonly deployed by employees in employment disputes on the basis that they are “purpose blind”. The new Data Protection Act will remove the requirement to pay £10 for access to your personal data the GDPR will generally require a response with the data within a month and requires more extensive information about the processing to be provided.
There is also a provision which suggests that the controller should be able to provide remote access to a secure system, to give you direct access to your personal data. Given these secure access platforms are becoming a feature of disclosure in modern litigation, it seems likely that these kinds of requests will become more difficult to resist.
Claims for compensation
Data subjects can claim compensation from a controller or processor where they have “suffered material or non-material damage as a result of an infringement” of the GDPR.
In the recent case of Various claimants v Wm Morrisons Supermarket PLC  EWHC3113 (QB) a civil claim was brought against Morrisons under the DPA when a rogue employee posted the personal details of almost 100,000 Morrisons’ employees on a file sharing website. The claim was for breach of the DPA, misuse of private information and breach of confidence. Although the High Court were unwilling to find that Morrisons were in breach of the DPA, the Court found that Morrisons was vicariously liable for the deliberate and criminal disclosure of the personal data.
Although the case is currently being appealed, the impact of the decision as it stands is likely to be enlarged by the GDPR due to the greater accountability for employers and increased data subject rights. This case may also result in an increase in group actions for compensation.
It is highly likely that data protection issues will be an increasingly significant element in employment disputes. With the possibility of massive fines for infringements and reputational damage, it is time for employers to take their data obligations seriously.