GDPR: One year on
The first anniversary of the General Data Protection Regulation ("GDPR") coming into force passed rather quietly. This is a significant contrast to the flurry of activity this time last year from businesses preparing for it. So what have we learned, one year on?
Perhaps the biggest change for employers was the more stringent approach to employee consent under the GDPR. Although relying on consent as a basis to process personal data entailed some legal risks under previous data protection law, it was very common practice in the UK. The GDPR made it very clear that an employee's consent to processing (particularly if contained in an employment contract) will often not satisfy the GDPR requirement for consent to be freely given. However, although employers have needed to update their employment contracts and privacy notices to reflect this, it has not created many practical issues, as employers can often identify an alternative lawful basis for processing employee data.
One issue which has created uncertainty for employers is conducting basic criminal record checks where there is no legal or regulatory requirement to conduct a check. In these circumstances, the employer must identify an alternative legal basis for processing the data about criminal convictions, which is treated as a special category of data under the GDPR. One option is that "regulatory requirements" includes recognised standards of good practice within the relevant sector/role even where a regulator does not expressly require criminal records checks. However, it's not clear how widely this applies. If an employer can't rely on this, the other option is consent – but that is potentially problematic for the reasons set out above.
Unfortunately, the Information Commissioner's Office has not yet updated its Employment Practices Code (or supplementary guidance) to reflect GDPR requirements. Criminal records checks are certainly one area where an updated Code would help employers.
One piece of good news for UK businesses is that although other European authorities have imposed substantial fines for breaches of the GDPR (including an eye-watering £44m fine for Google from the French authorities), the UK Information Commissioner has not yet done so. So far, it has given businesses the opportunity to get to grips with the GDPR. However, now that a year has gone by, it's fair to assume that the honeymoon period is over and the ICO will take a stricter approach to non-compliance. Our experience is that the ICO is already taking a firm line on failure to comply with the data subject access requirements, including where businesses try to extend the deadline for providing the data without a compelling reason.
Although the GDPR's first birthday may have been a muted affair, businesses will want to make sure they are now fully compliant, to avoid falling prey to the "terrible twos".
For any additional information, please contact Senior Associate Alex Mizzi.