Melanie Schwingt
Senior Associate
Morton Fraser LLP
With the arrival of the General Data Protection Regulation (GDPR) on 25 May 2018, many organisations have been focusing exclusively on the “outward facing” aspects of GDPR compliance. This includes publishing new privacy notices (to website users, to customers and to employees), ensuring that GDPR-compliant direct marketing consents are obtained and updating data processor agreements.
However, the question for all organisations is whether they also have the necessary internal procedures to deal with, for example, the exercise of an individual’s rights under the GDPR. All organisations will be “controllers” in respect of their own employees’ personal data and will therefore be subject to such employees’ rights under the GDPR. This means that any employee could submit a subject access request to an employer, object to the processing of personal data where the processing is based on the employer’s legitimate interests, request to be “forgotten”, ask for personal data to be rectified or query any decisions based on automated decision-making processes.
A controller must respond to the exercise of such rights within one calendar month, so it is important that the organisation has procedures for identifying the exercise of a data subject’s rights (whether or not the employee refers to the legislation when making the request) and for responding appropriately. None of these rights are absolute – for example where the processing is based on the performance of the employment contract, the right to be forgotten does not apply – so the person(s) responding must be aware of the various restrictions and exemptions that may be relevant to any exercise of a data subject’s rights. This is where the appointment of a data protection officer, even where not legally required, may be useful.
Other important internal procedures include implementing the organisation’s records retention policy, establishing any “bring-your-own-device” or other remote IT access policy, and responding to and reporting data breaches within the new timescales.
All organisations will be responsible for their own employees’ personal data, but it is not enough simply to distribute GDPR-compliant privacy notices to the employees. Having the structures and processes in place for dealing with requests from employees will be vital and HR teams will be at the forefront of ensuring ongoing compliance with the GDPR in respect of employees’ personal data.
