- Thursday 12 April 2018
If an auditor had to walk into your business today and ask you the question "where are your employee contracts?" what would your answer be? Over the last few months, the answers that I have received have been either that the business doesn't have contracts with employees or that the contracts were done when the employees entered the business and have not been updated. I have yet to go into a business where a file can be presented with up-to-date employee contracts that have relevant data protection updates (that are signed!) attached to them.
Shall we back this up a bit because at this point you are most likely outrageously exclaiming over the fact that 'an auditor' (what auditor!!!??) can come in and look at contracts and wondering what gives them that right. In getting ready for the coming into force of the General Data Protection Regulations (GDPR) in May of this year, you will need to go through several different spaces in your business to ensure that your people and processes are 'privacy proofed'. One of these spaces is Human Resources and flowing from this your employee contracts. An audit (internal or external) of your business is a great exercise to help you identify gaps in this space and others.
Where does the GDPR say I have to have contracts?
You as the business owner or manager must be able to demonstrate that the people who handle the personal data within your business are qualified to handle said data and that you have adequately prepared them to do so with the level of care that is expected from them under the GDPR (and other relevant law). This is part of the implementing appropriate organisational measures to ensure security of processing as well as accountability and privacy by design under the GDPR. How will you demonstrate that your workforce is qualified and prepared? You could attempt to do so with some kind of record of the working day, but the logical starting point is the employee contract where you would detail the obligations and responsibilities inherent within each position. From this would flow procedures and remediation or disciplinary steps and entrench good practice within the organisation.
So, do you have those contracts?
If not, your first port of call is getting measures into place together with your solicitor and perhaps an HR consultant to bridge this gap. Within your standard employment contract, you are going to have to include provisions that deal with the data protection obligations of the business and the responsibility of the employee in this regard. These provisions must be specific and plainly worded. Getting to what these provisions should specifically be is a journey in itself.
DPP, you say?
It starts with the Data Protection Policy (and others) of the business. Before you react and jump into putting in a blanket set of obligations into contracts, take that step back and go to source. Get out (or draw one up) the Data Protection Policy of the business and ensure it is updated to the standards required under current data protection law. From this, you will begin to see the flow down of responsibility within the business. Once this document is in place, it would be good practice to have a round table discussion with department heads or relevant staff members as to how each department is going to meet the data protection obligations relevant to that department. Out of this, the responsibility and obligations flow down onto employees. Only then (and this is broadly speaking) are you ready to start amending employee contracts with specific and relevant obligations.
Some Questions You Might Ask
- What are the general data protection obligations relevant to all employees?
- What duties do you see flowing down directly into the daily work of the different employees in your business?
- What expectations would managers have of employees for which they are responsible?
- How will your employees deal with data subjects (your customers for example) exercising their rights against the business?
- How will employees deal with data breaches?
- Do you have policies that govern these situations? If not, draw them up before you start on the employee contracts.
Obligations on Employees
Part of the data protection obligation on a business (and this should flow from your DPP) is that your employees need to understand WHY data protection is important. If they do not understand the WHY they will most likely not buy into the WHAT they need to do to ensure the business is always in good standing. The WHY includes the importance of understanding the risks to and rights of data subjects as well as the consequences to the business if the business is found to be not compliant with the GDPR. To help comprehend the WHY and meet part of the privacy by design obligation on the business, training on data protection and privacy requirements is highly recommended for employees.
You as the business owner must decide what the WHAT is going to entail. There is a set of general obligations within every business that will apply to all employees. For example, everybody would most likely have email on the company domain, so they would all be bound by a policy outlining data storage and retention requirements. There would be specific obligations that apply to different types of employees, too. An example here would be the person who collects sick notes in the business. What is the process for handling this (potentially sensitive) personal data? A chain is only as strong as its weakest link. A business owner should be aware of those weak links and should be remediating through training and support, rather strengthening that chain than waiting for it to break.
A point to note here would be to ensure that you are aware of the limits of the cyber and even public liability insurance that your business has bought. Is there any scenario you can envisage where an action or non-action of an employee would jeopardise that cover?
Further, you as the business owner will have to decide on the consequences of a wilful or negligent breach of the data protection obligations within the business. Would there be an investigation and disciplinary procedure? Would this entail penalty or suspension? Specialist advice in this regard would be necessary to ensure the bounds of the law are not exceeded.
Data Protection for the Employee
Finally, the business must cater for the employee as data subject in the employment contract. This means that the employer in clear and plain language should be informing the employee of their rights under data protection law that they enjoy. The employer needs to be transparent about the collection and use (processing) of the employee's personal data as well as demonstrate their accountability for that data. Data sharing, access to data by third parties and data retention periods should be outlined. The employee, as data subject, should also be informed of the procedure within the business under which they can exercise their rights such as accessing a copy of their data or having their data rectified.