No matter how good your organisation is at treating its employees, involving them in decision making, creating a consultative environment and even supplying playrooms and free refreshments, the playing field is never level. That’s because, you pay them and they rely on you to keep them in employment and no matter what, that dependency creates an imbalance of power; you the employer and benefactor, giver of opportunity and subsistence and them, the dependant and beneficiary, recipient of your generosity.
So what, the status quo is maintained, the job gets done? Well, enter the General Data Protection Regulation (GDPR) which has something to say about that relationship. We have all grown to love (or at least be aware of) the GDPR over the last year or so and many organisations will believe that they have this sorted, and according to the statistics, a very small number possibly will have.
Even if you believe all is well in the compliance department, if you employ staff, take time to consider the judgement of the Greek Data Protection Authority (DPA) in July 2019, on Price Waterhouse Cooper Business Services (PwC BS), yes, PwC no less!
PwC BS has been fined Euro 150,000.00 for, and I summarise, unlawfully processing the personal data of its employee’s by using an inappropriate legal basis (GDPR identifies 6 lawful ways you can process personal data). Additionally PwC BS processed the personal data of its employees in an unfair and non- transparent manner, giving them the false impression that it was processing their data under the legal basis of consent, while in reality it was processing their data under a different legal basis about which the employees had never been informed. Finally, although PwC BS was responsible in its capacity as the controller, it violated the principle of accountability set out in Article 5(2) of the GDPR by transferring the burden of proof of compliance to the data subjects.
Now, if the above isn’t immediately blindingly obvious, let’s unpick this and firstly understand why employers cannot, except in very limited circumstances, use consent to process employee’s personal data.
Consent is a complex issue as it must be; ‘freely given, specific, informed and unambiguous indication of the data subject’s wishes…….’. It’s the ‘freely given’ bit, right at the beginning that causes a problem. The regulation identifies that consent cannot provide a valid legal ground for processing of personal data in specific cases where there is a clear imbalance between the data subject (employee) and the controller (employer).
Like it or not, the employee is in a position of subordination and therefore is reasonably likely to believe that to withhold consent would mean prejudicial consequences to their engagement or continued employment; this means it isn’t freely given. However, don’t panic, there are 5 other legal basis and one or more of those will be much more appropriate to processing your employee’s data, you just have to nail your colours to the flag pole and declare to your employees what that is!
Another key issue here is the component of the fine which related to the passage which goes, ‘it violated the principle of accountability set out in Article 5(2) of the GDPR by transferring the burden of proof of compliance to the data subjects.’
What that means is that the company transferred its compliance obligations to its employees by asking them to sign a statement requiring them to acknowledge that their personal data kept and processed by the company, was directly related to the needs of the employment relationship and that their data was relevant and appropriate in the context of the employment relationship.
It appears common practice that employee privacy notices end with a requirement to ‘Agree’ to the terms and conditions contained therein. But the privacy notice is not a contractual document that employees have to sign to agree to your conditions of processing. What it is however, is a requirement in order for you, the employer to comply with the GDPR principle of ‘Transparency’, to uphold the right of data subjects to be informed of the processing and to demonstrate your accountability to comply with the requirements of the GDPR. In short, it is the required disclosure, by the organisation to the employee, in relation to what data is processed and how you are going to treat it properly and keep it safe. Yes, ask them to sign to indicate they have received the notice and acknowledge its contents but don’t offload your responsibility on to them.
This case proves that even the ‘big boys’ with their many resources get it wrong and have to face up to the sanctions and reputational damage caused by the very public exposure. The SME community is at risk of falling foul of the data protection laws either through a lack of knowledge, misunderstanding of the requirements or a sense that it is possible to ‘fly under the radar’ and risk that the regulator has far bigger fish to fry. The consequences of not getting this right can be severe as demonstrated. My advice is, at the very least get some independent objective advice and guidance on the GDPR to base your risk decisions on.
Derek Mann RISC, MSyI (Dip) is a director of Compliance and Privacy Solutions Ltd, a data protection consulting company working with SMEs to support their compliance journeys. Please contact us or call 01293-279-770 to talk through what we can do for your business.