GDPR HISTORY SUMMARIZED
The Data Protection Act 1998 aimed to balance the entitlement of organisations to collect, store and manage various types of personal data, with the privacy rights of the individual about whom the data was held.
The Act covered both manual and computerized records that, when put together with other information, could divulge personal information about an individual. It gave individuals certain rights, and required decision-makers to be open about processing and to comply with the eight data protection principles.
On 25 May 2018, the Data Protection Act was replaced by the General Data Protection Regulation (GDPR). There are no exemptions based on a size or sector — all organisations must comply with its requirements in full or face a hefty potential fine. On the whole, the rights individuals enjoy under the GDPR are the same as before but with some significant enhancements.
Special category data is personal data which the GDPR says is more sensitive, and so needs more protection. Special category data is broadly similar to the concept of sensitive personal data under the Data Protection Act 1998. The requirement to identify a specific condition for processing this type of data is also very similar.
One change is that the GDPR includes genetic data and some biometric data in the definition. Another is that it does not include personal data relating to criminal offences and convictions.
What is the problem with GDPR and privacy ?
Today, more and more companies “repose trust on their employees’ consent” to process their personal data and short consents are often included in employment contracts for that purpose. The problem comes when big companies with some secret contracts access your private data to fear you without any special reason.
Having personal data stolen can have a significant impact on your mental and physical wellbeing. More and more frequently, come to the light cases from people who are unable to sleep, feel ill, unsettled or confused following a data breach.
It is more and more easy to spy on you using the data you’ve put on a wifi network or through your email. There are spy machines capable to track you wherever you are when they want. And there are many examples of personal data which have been hacked and even sold to companies or given to foreign governments as Al Jazeera documentary revealed some weeks ago.
In papers, under the General Data Protection Regulation (GDPR), the requirements for valid consent have been made much stricter. Consent must be freely-given, specific, informed and revocable. The GDPR expressly states that, where there is an imbalance of power between the party giving consent and the party receiving it, consent will not be valid. In the employment context, it has long been acknowledged that there is such an imbalance between employer and employee. This means that it will be very difficult indeed for employers to rely on consent to process employees’ personal data under the GDPR.GDPR as a potential Threat to Personal Life?
GDPR deals with employee records as personal data such as human resource’s employee files, which can cover, besides all the usual identifiers (name, address and photos), personal details such as health, financial, employee reviews, family contact information, and more.
Unfortunately, due to the actions of some of Europe’s most trusted companies, GDPR has become an essential step in ensuring the protection of EU citizen’s data. For instance, regarding the United Kingdom, on this site are cited eight costly UK data breaches that helped pave the way for new EU legislation.
Before any surveillance can take place under GDPR rules, organisations must create a policy that lets employees know the circumstances of monitoring and their expectations of fair use. The ECHR’s ruling is clear that some personal use must be tolerated, saying: “An employer’s instructions could not reduce private social life in the workplace to zero”.
As private communication meets the definition of personal data (as described in Article 4 of the GDPR), organisations must prove that they have a lawful ground to collect and monitor this information.
According to Article 4 of the GDPR, a personal data breach is a breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data stored, transmitted or otherwise processed by the organization. This also includes incidents that result in personal data being only temporarily lost or unavailable. It’s critical to understand that this definition differs dramatically from those in other standards, such as HIPAA, which often limit the concept of data breach to unauthorized access and disclosure only.
Breaches of data within the workplace can relate to pay & conditions, sickness & absenteeism, disciplinary & grievance disputes and even private medical information which is shared and/or disclosed inappropriately.
At EU level, the European Network and Information Security Agency (ENISA) has released some practical tips on how to implement homeworking software.
Employees Have Data Privacy Rights
Typically, an employee has given consent to processing of her data as part of an employment contact. But since the employee likely had no choice but to sign the contract in order to get the job, the GDPR does not consider this freely given.
Many people have mistakenly thought this means getting consent, but not only is consent hard to get and keep, the GDPR says an employee cannot give consent to an employer because of the inherent imbalance of power. In other words, consent can’t be “freely given” if the data subject faces a potential negative effect from not consenting. It’s reasonable to expect that an employee might fear for their job (or at least fear losing favour among their bosses) if they don’t consent to being monitored.
And that also means, with some restrictions, that employees gain privacy rights over their data: they can request, just as a consumers do, access to their personnel files, and have the right to correct errors.
There’s even an employee “right to be forgotten”, but only when the data is no longer necessary for the “purposes for which it was collected”. Obviously, employers have a wide claim to employee data so it’s easy to see that most employee file are protected from being deleted on demand.
CPO Magazine covered a GDPR fine that accompanied a data breach this time in the fashion and prêt à porter industry. The €35,258,707.95 (about $41 million USD) that fashion retailer H&M is on the hook for does not stem from a cloud server misconfiguration, but the massive penalty was levied due to the exposure of something more substantial than customer contact information, as the article analyses. The articles reveals as well, how due to the pandemic lockdown and work from home, some employers can breach some personal data through your own pc.
These potential violations of personal privacy are most often tied to tools that organizations adopt to rapidly scale up remote work capabilities, some of which have not been thoroughly vetted and tested before being deployed.
A 2019 data breach revealed that H&M had been creating highly inappropriate profiles of the private lives of some of its employees for at least five years. The company earned the GDPR fine by recording personal information gleaned from one-on-one conversations: religious beliefs, medical conditions and procedures, family issues and details about trips that they took while on vacation among other items. Supervisors at the company’s Nuremberg service center would take note of these details while conversing with employees and then log them in a database that up to 50 other managers had access to.
Anyone whose personal information has been compromised in a workplace data breach may have grounds to claim compensation. Ultimately, if a workplace has failed to protect your personal data, you have a right also to claim compensation.
The process for data access under GDPR will be mostly the same as it was under the Data Protection Act of 1998, but with a few slight differences. For starters, a person will need to file a subject access request (SAR) that, as noted by the Guardian, is simply “an email, fax or letter asking for their personal data.”
For clear guidelines on submitting an SAR, see the Subject access code of practice from the Information Commissioner’s Office (ICO). There is no particular format required, as long as the request is made in writing.
GDPR Breaches became more frequent during the current lockdowns accross the EU.
Security measures must be in place that are appropriate for the data held, including implementing strong passwords and encrypting electronic data. Workplaces should also strictly control who has access to sensitive data, making sure this is limited to those within the organisation who have a legitimate need to access the data in question.
Controllers and processors must have in place appropriate technical and organisational measures to ensure a level of security for personal data that is commensurate to the risk associated with data processing. This is not a static analysis, but something to be kept under review as circumstances change. The mass shift to remote working has inevitably changed the risk profile of certain data processing activities.
Due to covid19 and social distancing measures, has seen a sudden and unprecedented shift from the offline to the online world leads to an ever-increasing collection of personal data concerning employees.
For example, some videoconference platforms allow event hosts to analyse their participants’ attentiveness in real time. Others allow meetings to be recorded. Such recordings may include the participants’ voice, chats, and faces but also their private surroundings at home –as captured via their webcams- as well as the screens shared by the speakers.
According to a FieldFisher.com article, online monitoring is not so obvious for employees and can easily go unnoticed. In such circumstances, the border between lawful and covert surveillance is very thin. The Covid-19 crisis does not alter the principles and rules on which the protection of employees’ privacy is based.
Regardless of the technology, tools and third-party providers that are being used, companies who offer homeworking tools to their employees must ensure that the processing of their employee data complies with the principles and rules under the General Data Protection Regulation (GDPR) and must also be aware of the specific rules that govern employees’ privacy under national laws.
For instance, regulators have imposed a fine of €10.4 million (roughly £9.3 million) on notebook retailer notebooksbilliger.de AG (NBB) after it was found to have conducted intrusive video surveillance against its employees.
When a personal data breach has occurred, you need to estimate the risks to people’s rights and freedoms. If it’s likely that there will be a risk, then you must notify the regulators; if it’s unlikely then you don’t have to report it.
Assessing the risks involves determining whether there will be negative consequences for individuals. Recital 85 explains that a breach can have various adverse effects on individuals, such as damage to reputation, physical and material damage, and other significant ill effects. If you decide not to inform regulators, you need to be able to justify your decision and prove those risks are unlikely to happen.
Sources on which this article was based :
- Employee “consent” under the GDPR _Thomson Reuters
- GDPR training– itgovernance.eu
- The risks of online employee monitoring during the COVID-19 crisis -Fieldfisher.com
- IT retailer faces €10.4m GDPR fine for employee surveillance -ITPRO.co.uk
- Guide to the General Data Protection Regulation (GDPR), Information Commissioner’s Office, available on the ICO website
- The Employment Practices Code — Part 1: Recruitment and Selection, Information Commissioner’s Office
- The Employment Practices Code — Part 2: Employment Records, Information Commissioner’s Office
- The Employment Practices Code — Part 3: Monitoring at Work, Information Commissioner’s Office
- The Employment Practices Code — Part 4: Information about Workers’ Health, Information Commissioner’s Office
- GDPR Data Protection Policy (Employment)
- GDPR Enforcement Tracker
- Cypriot authorities have a duty to reply – Financial Mirror
Photo credit: Licence Creative Commons