Just a short time since the General Data Protection Regulation (GDPR) came into force and many organisations are still grappling with it. We are still receiving many questions from our customers and prospects so this blog has been created to provide some additional information based on questions we have received.
Legal disclaimer: This is general information and may not be relevant or accurate to your specific situation so you should ensure you take your own legal advice.
1. What do we do about contact information for the employee of a prospect or a customer?
If the contact information of employees of a prospect or a customer included data items such as employee name, address, email etc. this would be classed as personal information within the context of the GDPR. At the outset the first step an organisation should undertake is to ask why it needs that information in the first place.
Once it has established it needs that information for a particular business purpose then there is an obligation on the organisation collecting the data to do certain things: it must inform the data subject from the outset what it intends to do with the data; what is the purpose of the processing; the legal basis for the processing; who the data will be shared with and in what context; and, whether it intends to transfer the personal data outside the EEA.
Once it has done the above, the organisation has further obligations under the GDPR to process the data in a lawful, fair and transparent manner for the business purpose it was given by the data subject.
The organisation must also maintain the accuracy of the data and the confidentiality, integrity and availability of the data as well as keeping it secure. This will also include determining the retention periods for the different data types in relation to the business purpose and any statutory obligations the organisation may have.
2. What about candidate CV’s/Applications forms?
CV’s and application forms will hold quite a lot of personal data and quite probably sensitive data such as specific health conditions etc. Under the GDPR organisations need to give careful consideration in the first instance to protecting sensitive data and the security controls that should be in place.
This will of course take into consideration that a lot of organisations still deal with CV’s and application forms in paper format. Paper records fall within the scope of the GDPR and issues like retention apply to paper records also.
3. How long can I keep candidate CV’s/Applications forms?
You need to consider the retention period of candidate data contained in CV’s or application forms as the organisation should not hold the personal data for an indefinite period. Organisations should typically hold CV data for a period of six months.
This covers the statutory three month period for any claims being made under employment law for discrimination – which starts at interview, and retain the contact details of alternative candidates. Beyond this period the organisation should really consider deleting the data unless it has a good purpose or statutory obligation to retain the data.
4. What should we do about employee data that is not just processed for contractual reasons?
Employers will often process employee data such as contact details in order to arrange business travel, and ensure the employee receives training and optional benefits e.g. health plan, and gym membership. When organisations undertake these activities the lawful basis of processing is likely to be legitimate interests.
If so, you should carry out a Legitimate Interest Impact Assessment.
5. What do we do about candidates/employees providing next of kin data?
It is quite normal when organisations interview and recruit employees and during that process capture additional personal data that is not related to the candidate under consideration, or an employee who has joined the organisation.
In most cases, you would determine that you should not inform the next of kin that you are processing their data as it may infringe the Rights & Freedoms of the candidate/employee. For example, in the case of a beneficiary of death-in-service benefit, that person may not know that the employee is their relative (e.g. illegitimate child). So in informing the beneficiary of the fact you are now processing their data you could be committing a data breach. If in doubt, you should undertake an assessment to balance the Rights & Freedoms of the candidate/employee against the Rights & Freedoms of the next-of-kin.
NOTE: If the next-of-kin is likely to be under 13 you need to factor in the additional obligations of the GDPR with respect to the processing of children’s data and who can give consent.
6. Who can give consent?
Most commonly consent will be given by the data subject in the context of what it is they are consenting to. Consent isn’t, as some people believe, just related to direct marketing.
There may be circumstances where consent is given by a third party. This would include situations where e.g. a carer consents on behalf a patient with diminished responsibility, or a social worker gives consent on behalf of a child in care, or a lawyer under Power of Attorney.
Where an organisation is concerned and it plans to outsource Payroll to a third party provider, then it is clearly impractical for the outsourcing provider to get the consent of every member of staff to share their data. This would be handled through the employment contract, and the organisation would outsource to the payroll provider under the legitimate interests lawful basis of processing.
7. When should I use consent?
Consent is one of the lawful basis for processing, but there are alternatives. If getting consent is difficult, you should consider using an alternative lawful basis. Consent is appropriate where you can offer people real choice and control over how you use their data, and want to build their trust and engagement. But if you cannot offer a genuine choice, consent is not appropriate or if you make it a condition of processing then you are probably using the wrong lawful basis of processing. If you would still process the personal data without getting consent, then asking for consent is misleading and inherently unfair.
8. Do I still need opt-in consent on web forms if we are using legitimate interest?
Consent and legitimate interest are two separate lawful basis of processing which are ideally suited to different business scenarios. Consent is about offering people real choice and control over how you use their data, and you as a business want to build a relationship based on trust.
Legitimate interest by contrast is more flexible and may be considered where another lawful basis is not available, due to the nature and/or scope of the processing, or where a number of lawful basis can be used, but legitimate interest is the most appropriate. The most appropriate lawful basis will depend on the personal data being processed and the purpose of the processing.
Whatever legal grounds you decide to use for data collected on web forms, make sure a link to your Privacy Notice is clearly displayed and the data subject’s attention is drawn to it.
9. Do I need to ask our customer for permission to process their employee’s data or do I need to ask each employee individually?
No, you would tell them on your own privacy notice what information you were processing, for what purpose and who you would be sharing the information with.
10. Should we send an Article 14 notice in the above example?
Normally, an Article 14 notification should be sent whenever you collect data indirectly about a Data Subject.
- within a reasonable of period of obtaining the personal data and no later than one month;
- if you plan to communicate with the individual, at the latest, when the first communication takes place; or
- if you plan to disclose the data to someone else, at the latest, when the data is disclosed.
However as discussed in section 5 above, there are situations where you may choose not to send an Article 14 notification e.g. due to the impact on the data subject.
11. Can we send information i.e. P60 to an employee personal email addresses?
Technically, yes. However you would have to consider the security risks in sending confidential information to a personal email address in accordance with data protection principles.
12. When should you ask permission to store personal data i.e. inbound price enquiry by phone?
If calls are being recorded, you should inform the customer at the outset that the call is being recorded. When organisations collect information they should be open about why they are collecting it, only use it in a way that would be within the reasonable expectations of the data subject, and not in a way that is unfair to them. You might of course decide to record some calls but not others i.e. complaints but not enquiries.
We recently ran a GDPR live Q&A session. To listen to the recording, click here.
GDPR offers a unique opportunity to look at data management policies and ask some hard questions about processes and systems – an opportunity to do things better and improve on the way we deal with customer data and how we engage with them.
Technology like CRM cannot make you compliant but they can help you efficiently manage your GDPR obligations. If you would like to discuss how Workbooks can help, please contact us today on +44 (0) 118 3030 100 or email us at email@example.com for more details.