When General Data Protection Regulations (GDPR) changed on 25th May 2018, you may have done some work in preparing how the changes impacted your data when it came to clients and customers. However, it may have passed you by that it could impact employment issues also.
As a busy business owner, you are trying to juggle growing your business while you keep on top of all the day to day running. It is understandable that you may not realise the impact of GDPR when it comes to employment. As time moves on the regulations are being enforced and tested by the courts, the impact on employment is being felt rather significantly.
As someone who is involved with complicated employment problems, I think it is important that every employer is aware what GDPR could mean for them, the impact it could have on your employee relationships and your business as a whole.
What do GDPR regulations have to do with employment? Like many things, it’s how regulations are used and enforced in practical terms that matters to a business. As a bit of a refresher, the regulations state that if you are a business that accesses and processes (uses) personal data, then the person whose data it is has a right to know what data you have, what you are doing with it and if it is being stored safely.
When you become an employer you are the data controller for the employee’s personal data. The personal data that you have on an employee includes among other things their name, address and email address. As a business that holds employee data, the employee has a right to know what data you have and how it is being used and you have an obligation as a business to provide that information if it is requested.
The method used to ask what data a business has and how it is used is a “Subject Access Request” or SAR. Therefore any written documents (paper or electronic, such as emails) with the employee’s name on it can be requested under a SAR from an employee. There are some exclusions and technicalities that I will talk about in subsequent articles, however there are very few reasons a company can use to excuse their way out of complying with a SAR altogether.
When a SAR is received from an employee, the employer has 30 days to compile all the documents relating to the request. If an employee requests every piece of data with their name on it, this can be a very difficult and lengthy discovery process, so it is best that you are prepared.
In what ways could complying with the request hurt an employer?
The most common intention around an employee making a SAR is to drain time and resources. Going through everyone’s computer systems and finding every email, evaluating its relevance and deciding if it can be included or excluded is a very time consuming task. It will involve every paper document which will need to be copied and every electronic one, which can be hundreds of emails and communications. 30 days is not a long time to decide on, compile and index a long list of documents, especially if you are relying on information from other people around the business.
SARs can be used to try and gather evidence of either poor processes and data control, or worse, because an employee is looking for evidence that you have treated them in a way that is unfair. The employee could be gathering evidence for a tribunal claim or looking for evidence that as an employer you have fallen foul of the regulations.
This could be exposed if you are storing or using information in an unlawful way, such as storing special category data (information about health and protected characteristics) without permission or using it in decision making where is shouldn’t be.
If an employee is looking to make a claim with an Employment Tribunal, the evidence gathered in a SAR could be used to show a number of failings in the duties of an employer. Employers have a duty to demonstrate through their employment processes’ adherence to employment law they are treating their employees fairly at all times, however in the absence of well documented processes, how does an employer demonstrate this?
If the employee uncovers emails that discuss their health conditions as part of a redundancy process or another finds their gender discussed in a way that relates to performance, it could damage a business’s chances in a tribunal. Every employment process should be well documented, including the rationale behind it and the strategy to deliver it, especially if it is around dismissal. Without the rationale being well documented, it becomes your word as a business against an employee, leaving a tribunal to infer intention, regardless if it was present. The duty is on the employer to document the fairness in their decisions and processes, not the duty of the employee to prove that they are unfair.
It may be that you receive a SAR from an employee and while you are spending time and energy trying to figure out how to respond, a request to settle the issue and make it all go away comes along. Don’t be too surprised if a request to make a settlement agreement follows most SAR requests as there are definitely some people in the employment law marketplace who encourage the use of SARs to get a settlement agreement from an employer where there may not be a case to answer for. The hassle, time, resource and potential for embarrassment in complying with a SAR can make a settlement agreement sound like an easy option. You may decide it is worth it to accept these terms and make the immediate problem go away, however these tactics spread like wildfire in a business and could trigger a repeat performance across multiple employees, leaving you very vulnerable to extortionate terms.
Could a business get away with not complying with a SAR to avoid all the issues that disclosure could bring them?
GDPR and data protection regulations are managed by the Information Commissioner’s Office (ICO). The ICO investigates and enforces data protection breaches and can hold businesses and individuals responsible for the business liable for failing to respond in accordance to the regulations. This could mean fines for businesses and individuals if data is not handled appropriately, and could impact a business’s ability to store and hold customer or client data which would throttle a business’s ability to do business. It’s not a position that any business wants to find themselves in. The only real remedy to this problem is preparation and prevention.
Prepare for your employees from their first day as if they are going to request a SAR. Make sure you have an employment file for everyone and that all employees are trained in what gets written down (including emails) and what does not. Make sure you have processes in place that record an employee’s progress and performance on a regular basis and audit files regularly to make certain that only relevant information gets recorded.
If a decision is being made that may result in a dismissal, either a redundancy or disciplinary process, the only information that is written down is the information relevant to the decision making rationale and compliant with both employment law and GDPR, if you are unsure of those boundaries then seek advice. Have a specific recording policy across the business where the issues and consequences are explained and make sure you enforce it. If difficult discussions need to be had, then have them in person and don’t record notes, only outcomes and next steps. Finally, give the impression to your employees that you are aware of your duties and you do everything you can to deliver on them, if there are no skeletons in the cupboard, people are less likely to try and fling the door open to expose them.
If you are not prepared to receive a SAR, whatever you do, get advice about your employment processes and how you can become more GDPR compliant. The best way to get out of these kinds of legal and regulatory traps is to not to get caught in them in the first place.
Being GDPR compliant is just one legal responsibility for an employer. To make sure you know exactly what your other legal duties are and the consequences for not performing then, download a copy of my Employment Essentials Guide.