In the February issue of Accountancy Ireland, we considered the concept of a General Data Protection Regulation (GDPR) culture; reviewed the penalties that can be applied by the Data Protection Commissioner; and highlighted the primary areas of GDPR-related risk for employers – namely, consent and security. In this, the second and final article in the series, we will investigate other areas where risk and cost are likely to arise as a direct result of GDPR – namely, subject access requests, retention of data, monitoring employees and employing data protection officers.
Subject access requests
The administrative cost of subject access requests has always been difficult for employers to bear. The number of subject access requests from employees has increased over theyears. In our experience, subject access requests typically precede Workplace Relations Commission claims or other civil claims. Upon implementation of GDPR last May, the 40-day response period for subject access requests was reduced to a strict one-month deadline. Although there is an option to extend that deadline by a further two months for complex or multiple requests,our understanding is that the Data Protection Commission will apply the one-month deadline strictly.
A further change brought about by GDPR is the removal of the €6.35 subject access request fee. Historically, the data access request clock did not start ticking until the employer hadreceived both the request and the fee. This is no longer the case. The clock will now start ticking as soon as the subject access request is received. An employer can refuse a request in limited circumstances (if it is manifestly unfounded or excessive, for example). However, reliance on these exceptions will be extremely limited.
Subject access requests are often drafted by employees and while most use the standard format as advised on the Data Protection Commission’s website, they are often not limited to time, period or scope. As subject access requests relate to all manual and electronic data, they are normally costly to complete. If the subject access request precedes an employment claim, it is often excluded under
insurance policies so the cost must be borne by the company. Indeed, many struggle to apply the exemptions to data subject rights in the Data Protection Acts 1988 to 2018 (the Act) without legal assistance.
Employers should always engage with the data subject on receipt of a subject access request to seek clarification from the data subject as to the specific information they require inan attempt to limit the scope and cost of the request. Employers should also be aware that the clock continues to tick during such negotiations. Furthermore, companies are obliged to provide additional information to those making the subject access request – for example, information regarding the data retention periods and the right to have inaccurate data corrected. Employers should therefore be aware that even when the relevant documents have been identified, it will take time to redact certain documents to protect other employees’ privacy, which further increases the cost of the exercise. The obvious option to
reduce costs is to apply a strict retention policy for documentation but, as we will discuss below, that approach carries its own distinct risks.
A further risk arises in the context of compliance. A company’s compliance officer is often tasked with completing the subject access request as part of his or her compliance role. In some cases, they will have received limited training on the area of data protection and may not be aware of the exceptions contained in legislation, such as legal professional privilege or expressions of opinion. Given the prevalence of these requests and the need to limit the information to that strictly required under the legislation, there should always be some legal input into the completion of a subject access request. Given the media focus on the issue, we expect to see a substantial increase in the number of requests received by companies and it is therefore important for employers to remember that a data subject does not need to provide a justification for seeking his or her personal data – it is their right. Even if the documentation furnished does not provoke an employment claim, it could bring other matters to light that may form the basis of a separate civil claim. For example, a defamation claim could arise as a result of commentary contained within internal emails. Alternatively, a decision to retain a private investigator to surveil an employee could lead to a privacy claim arising.
Retention of data
A key issue for companies in complying with GDPR will be determining what retention periods to apply. Maintaining strict retention periods would likely reduce the cost of subject accessrequests and limit the likelihood of data breaches occurring, but this must be balanced against the necessity of holding information to defend future prospective claims. The legislation doesnot provide guidance on this issue, but the website of the Data Protection Commission does.
Employers are advised to consider statutory retention periods, business needs and limitation periods in reaching a decision on retention periods. Statutory retention periods are not uniform and vary from three years (for payslips and wage records) to 10 years (for workplace accidents).Most employment claims have a sixmonth statute of limitations with a prospective extension of a further six months, while personal injury bullying claims have a two-year statute of limitations. Other claims can also arise within the employment relationship such as defamation (one year, which can be extended to two years in exceptional circumstances).
Data should be retained for the minimum statutory period and reviewed on a case-by-case basis. In cases where issues have arisen, the company can then consider extending the retention period for specific personal data but this decision should be documented carefully by way of a data protection impact assessment and explained in the employee privacy notice.
One of the ways in which employers collect and process employee data is through monitoring in the workplace – through email and internet usage or CCTV, for example. A certain level of monitoring is necessary to protect the business and to prevent bullying or harassment claims.
GDPR has made no real changes to the data protection obligations already in place in this regard. The key difference is that an employer must now provide transparency through the privacy notice and data protection policy as to what information is collected, how that information is collected and what purpose it is used for. Failure to do so will result in a breach of data protection obligations.
It is also open to the Data Protection Commission to order the destruction of such information on foot of a complaint. This information could be necessary to defend an employment claim at a later date, making a defence of that claim unsustainable. The implementation of GDPR simply means that organisations will need to work harder to justify their monitoring of employees. Companies must be in a position to demonstrate that they have balanced the employer’s need to protect the business as against the employees’ rights to privacy.
Employment of the data protection officer
The Act now places a legal obligation on certain companies to appoint a data protection officer if their core activities consist of data processing operations, which – by virtue of their nature, scope and purposes – require regular and systematic monitoring of employees on a large scale; or if they process special categories of data on a large scale and/or data relating to criminal convictions. All public bodies and authorities, other than courts acting in their judicial capacity, also require data protection officers. Data protection officers will act as the point of contact between the company, data subjects and the Data Protection Commissioner. The possible appointment of a data protection officer will be a key strategic decision for a company, as it ties them into various obligations. The Irish system is self-assessed in nature so if a company decides not to appoint a data protection officer, the thought process in reaching that conclusion should be recorded and retained. Most importantly,
the role of the data protection officer has protected employment status, as an employer cannot dismiss a data protection officer for performing his or her function – even where this may be seen as obstructing the employer in the running of the business.
The Data Protection Commissioner has made it clear that the person appointed must be at a senior level, be in a position to perform the requisite duties and be independent. Ideally, the data protection officer would be appointed from within the current staff pool. However, officers such as chief executive officers, chief operating officers, chief finance officers or department heads are precluded from appointment due to a perceived conflict of interest, thus limiting the pool of candidates significantly.
The GDPR culture may take several years to become embedded in organisations. We hope that in flagging the areas of prospective cost and risk, organisations will be better positioned to navigate the changes.