Personal data means all data concerning individuals and that means not only customers, but, for example, suppliers and staff. At the recent GDPR Summit London, GDPR and the rights of employees came up time and time again, but a panel discussion uncovered some important lessons.
Under GDPR, the processing of personal data is only lawful if one of six lawful bases can be applied. The most well known of these six bases is consent, but for processing data concerning employees, this may not be appropriate.
Earlier in the day, during the latest GDPR summit London, Ardi Kolah, Executive Fellow and Director of the GDPR Transition programme at Henley Business School suggested that using consent as the lawful process for processing personal data of employees could be inappropriate, as the regulation requires consent to be freely given – something that rarely applies in an employer/employee setting. Instead, he suggested legitimate interests as a more appropriate legal basis.
Later in the day, a panel discussion focused on employee rights.
And there are challenges and opportunities, suggested the panelists.
Let’s be positive and start with the opportunity
“It is going to make employees more secure with what we do with their data,” said Suzanne Dibble, Business Lawyer, Virtual Law.
“It’s an opportunity to clear up,” said Anthony Lee, Commercial Lawyer, DMH Stallard. He enlarged on the point: “Around 80 percent of data breaches are down to accidental use by employees. So Organisational issues are key”
James Palmer, Head of Data Governance, Southern Water, said “It is going to create consciousness. There are so many companies that don’t know what they don’t know. So companies will be forced to know what data they have.”
As for the challenge. Karen Holden, Founder, City Law Firm put emphasis on practicality. She explained that you may have a lawyer draw up a seemingly perfect contract, but if it difficult to read, it may not be appropriate. For Karen, a key lies in learning. “You may not have done everything perfectly, you will make mistakes. But you need to learn.”
Suzanne Dibble put emphasis on initial implementation. At first “with every point, you have to sit down with lawyers.”
Anthony Lee said the big challenge lies with “putting privacy at the heart of your organisation.”
The panel turned to the question of subject access requests
Susanne Dibble said: “Data subject rights are not new. But GDPR brings things them into sharper focus.” She added that what GDPR does is introduce a time-frame. “You have to respond to a subject access request within a month,” she said. And then explained, you can ask for more time, but you need to make this request within a month and explain why.”
Susanne agreed. “Data subject rights are not new,” she said, but “GDPR brings things into sharper focus. As for Subject Access Requests, she said that given how GDPR requires a response within a month, it is important to train staff on how to respond.