At this point, employers should have carried out a detailed analysis of their flow of employee data and where and how they track their employees’ activities, considered what information they control or process, how they collect that information, the purpose for which they hold it, how secure it is, whether it is passed to third parties, and how long they should retain the information.
Organisations are also likely to have carried out Data Protection Impact Assessments (DPIAs) to identify and minimise the data protection risks of any ongoing or upcoming projects during the run-up to GDPR implementation. Arising from those considerations, employers will have taken steps to update employee contracts (moving away from a reliance on consent), privacy notices, information and communications (ICT) and data protection policies.
Many managers in these organisations are now sitting back, patting themselves on the back for a job well done, assured that they have protected themselves against future claims. But is this true? In this article, the first in a two-part series, we will briefly examine the key obligations of GDPR and highlight the areas we believe employers will need to monitor in the future to minimise litigation risk and costs arising from GDPR.
The new status quo
When discussing GDPR, the most important thing to point out is that a new standard has been established in relation to the controlling and processing of data. The Data Protection Commissioner (DPC) has made it clear that companies must develop a GDPR mindset and culture to ensure that breaches do not occur. As we know, new cultures take time to bed down. They also require vigorous training and monitoring of staff in the short-term, with ongoing training in the medium- to long-term to be successful. The steps taken by companies up to 25 May 2018 merely represent the compliance side of the equation. Companies have carried out risk analysis and put policies and processes in place in an attempt to protect themselves against prospective future claims. However, the reality is that companies need to continue that evaluation in the short- to medium-term. At this point, companies should be in a position to re-evaluate the impact of GDPR on their business and assess the ‘real’ litigation risk to determine whether they need to adapt their processes to minimise those risks going forward.
Data Protection Commissioner
Before discussing the prospective risks and claims that may arise because of GDPR, it is important to review the sanctions or penalties contained in the Act. Traditionally, only the courts could levy fines against companies. In practice, this meant that the DPC would always have to issue legal proceedings incurring costs and delaying enforcement. With the introduction of GDPR, the DPC can directly impose fines on companies. This is likely to increase the number and level of fines imposed in the future. With the implementation of the Act, sanctions have increased and administrative fines have been introduced. For the most serious infringements, organisations can be fined up to 4% of their annual global turnover or €20 million, whichever is greater. For example, a serious breach for employers would include not having sufficient consent to process data.
For lesser breaches, organisations can be fined up to 2% of their annual global turnover or €10 million, whichever is greater. Examples of lesser breaches include not having records in order, not notifying the supervisory authority and data subject about a breach or not conducting impact assessments. The level of fines are measured against the “nature, gravity and duration of the infringement”. With the appointment of two additional commissioners, the DPC will likely have the resources to carry out significantly more investigations on an annual basis.
The office of the DPC has helpfully provided guidance on its website as to the approach it intends to take to enforce GDPR. It has confirmed that no compliance grace period will apply. Factors that will be taken into consideration are whether the company can demonstrate a genuine commitment to meeting their GDPR obligations through their GDPR compliance programme, the scale of the infringement, whether the breach is negligent or wilful and their readiness to engage with the DPC. The DPC’s focus will be on ensuring that companies comply with the rights of data subjects, that data protection principles are respected, that organisations are transparent in relation to the data they collect and process and the basis upon which the data is being processed. Unlike the UK, the Irish DPC has been particularly proactive in focusing on the issue of transparency and has regularly flagged the requirement for privacy notices to be issued or updated in advance of GDPR implementation. In simple terms, companies must ensure that data subjects understand what, how and why their data is being processed.
Individual claims and the new ‘Data Protection Actions’
The most notable change in the Act is that actions can now be taken by individuals for material or non-material damage. GDPR provides for joint and several liability, so both the controller and processor can be held fully liable for any damage caused. The Act does not define non-material damage. As with many civil actions, proving loss can be a hurdle to claimants. With the removal of the material loss requirement, the prospect of cases being taken by individual claimants becomes a real threat for companies.
Individuals and employees can now sue for stress and emotional damage allegedly suffered because of breaches of GDPR obligations. There has also been a huge public media campaign surrounding the introduction of GDPR, making private individuals far more aware of their data protection rights. Luckily, class actions are not a feature of litigation in Ireland. However, it is easy to see how well-publicised data breaches could invite a flood of claims against companies by individual data subjects.
A review of the Act makes it obvious that increased litigation will be an inevitable result of the implementation of GDPR. Some risks have been heavily ‘red flagged’ while others are less obvious.
Consent – personal data
With the implementation of GDPR, there has been a lot of discussion around the issue of consent to process personal data. Personal data falls under two categories: personal data and sensitive personal data. Given the inequality between an employer and an employee, consent to process personal data may not be “freely given” by employees. As a result, employers are recommended to rely on other grounds to justify processing; for example, a necessity for the performance of a contract or a necessity to comply with a legal obligation that allows the employer to process the data. This approach should have been reflected by the updated data protection policy and privacy notices rolled out within organisations prior to 25 May 2018.
The DPC has imposed strict criteria for drafting privacy notices in this jurisdiction. Companies are obliged to include a list of the personal data they hold, how they collect it, and how they use and share information during an employee’s employment and after it ends. During the course of the employment relationship, for example, it could be necessary to provide information to a variety of external contractors for a variety of issues including wage function, legal advice, the potential sale of the business or to comply with the law.
All well-drafted privacy notices should clearly set out a company’s obligations to employees in respect of their personal data and should be shared with staff to ensure transparency. The notices should also set out the company’s other data protection obligations such as proportionality, ensuring information is secure and putting employees on notice of their rights to access, correct or erase that information. The availability of this information to employees makes it more likely that employees could query the data being held and the basis on which data is processed in the future. As a direct result, the number of complaints to the DPC regarding consent are likely to increase.
Sensitive personal data
The issue of sensitive personal data often arises in the context of employee data; for example, when employers are dealing with an employee’s medical information. Employers can be left in difficulty when investigating an employee’s absence from work, as it is open to an employee to provide medical certification but no details of their illness. An employer is entitled to certification and confirmation of return to work assuming these are required by their absence policy. However, the employer may not be entitled to specific details of the employee’s illness.
With the spotlight on GDPR, employees are much more likely to refuse to furnish such information to employers, making it extremely difficult to manage absenteeism and provide cover for absent staff. It has also become increasingly common for employees to go on sick leave in the midst of a disciplinary process in an attempt to frustrate that process. If an employee refuses to furnish details of their illness, the question will arise as to whether the absence is linked to workplace stress or something entirely unrelated. A recent Workplace Relations Commission (WRC) decision in relation to furnishing medical data confirmed that the employer was entitled to ask the claimant for the details of a family illness. This suggests that the WRC may take a common-sense approach when disputes come before it relating to employees being required to furnish sensitive data to employers. Despite this helpful decision, given the difficulties in holding and processing sensitive data it is inevitable that organisations will simply be forced to hold less sensitive data in the future.
An employer’s obligation to keep employees’ personal data secure has not increased because of GDPR. What has changed is the level of the transparency employers need to demonstrate to employees in relation to that data. Employers’ privacy notices should confirm that the information is held securely and that there are procedures in place to deal with a suspected data security breach. This includes an obligation to notify the regulator and the data subject of any breach. It should also confirm that the employer will limit access to personal information to those who have a genuine business need to know. The transparency of this arrangement will increase the likelihood of employees making subject access requests (SARs).
First published in Accountancy Ireland in February 2019