General Data Protection Regulations ("gdpr") 2018

Paul Johnstone, partner at specialist employment law firm Collingwood Legal gives some practical hints on how to use the new GDPR rules to protect business interests

Many people will already be aware of significant changes to the way in which the processing of personal data will be regulated when the GDPR comes into force in May 2018 and many organisations may be shuffling this particular “hot potato” between the IT department and the HR department as to who should have primary responsibility for ensuring compliance with the new rules.

The best practical way to approach these regulatory requirements is to ensure that all aspects of operational business practices are given a “sense check” to establish where there are areas of risk within the organisation’s practices whereby personal data belonging to any employees or customers or prospective customers (who may submit details or enquiries via online portals) would bring these rules into play.

How to prepare:

– Identify all existing data systems and the personal data processed. Consider setting up an information asset register. Understand the legal basis for processing the data and identify what will need to change to comply with the revised regime.

– Ensure resources to prepare for change have been allocated. Identify who has responsibility and ensure that they have the time and support to plan for the reforms Review privacy notices and other fairprocessing information given to employees (and job applicants). Consider what additional information will need to be included. For example, what “legitimate interests” underpin processing? How long will data be stored?

– Assess whether the business uses consent to justify processing. Consent must be freely given, specific, informed and unambiguous.

– Review contracts of employment, handbooks and policies to see whether and how they deal with data protection (and in particular, whether contractual “consent” is sought).

– Establish a policy (with a timeline) for handling data breaches. Obtain a full picture of exposure to potential data breaches by ensuring that breaches and loss are reported to whoever is responsible.

– Train staff on data protection responsibilities.

– Develop and implement a policy on retention and storage of data, including emails.

One particular aspect of data protection rules which is specifically relevant to HR practitioners and employers is how the Information Commissioners Office (“ICO”) appears to be making far more use of enforcement action through the courts to prevent the unlawful processing of personal data. There have been a number of cases recently where individuals who have sought to utilise their business contacts (emails and telephone numbers and addresses etc) have fallen foul of the strict rules which carry not only civil penalties but also potential criminal prosecution.

Bearing in mind the vital importance of protecting legitimate business interests it is well worth considering how best to achieve that objective taking into account the GDPR and the ICO’s jurisdictional powers. For example, any posttermination restrictive covenants in a contract of employment which are designed to prevent outgoing employees from soliciting business from or dealing with clients with whom they have worked during the time that they have been employed by a particular organisation should be amended to include specific reference to the unlawful activity of processing personal data relating to individuals (such as former colleagues, clients or prospective customers and suppliers etc…). This information is capable of being protected as a legitimate business asset.

The courts must carry out an exercise when considering the enforceability of a restrictive covenant to establish whether the covenant strikes the right balance between protecting a legitimate business interest without enforcing an unreasonable restraint of trade. It has always been good drafting practice to be as clear, precise, detailed and unambiguous as possible. Referring specifically to company names in a schedule or spreadsheet to lawfully prohibit individuals working for those named competitors is a long established practice. Our recommendation is that a similar approach should be taken to protecting the individual names, telephone numbers and contact addresses (both email and postal) and Facebook or LinkedIn and other social media contacts which could constitute personal data for the purposes of GDPR. This information is a legitimate business asset which is capable of being considered the property of the employing organisation (subject to the duty to process such data in a lawful manner). Any breach of the duties not to process personal data without consent or without having an acceptable lawful reason to do so is now not only capable of being the subject of civil action for injunctions and damages but could potentially be a criminal matter