We answer some of the questions raised from our series of articles on preparing for the GDPR.
Thank you to those who have sent in questions and provided feedback on our 'Preparing for the GDPR' series. You can find all previous episodes on our specialist guidance pages.
You can send us your thoughts and questions on any GDPR topic by emailing us.
While we are not able to respond to queries individually, we do hope to address the main issues you raise over the coming weeks.
Below are answers to some of the questions we have received so far.
*Please note, links to various articles of the GDPR listed below are to a non-official website for ease of reference to specific articles. The complete official regulation can be found and downloaded here
Employee data and the GDPR
How long should we keep employee-related data?
The GDPR storage limitation principle is substantially similar to the current Directive.
Article 5(1)(e) of the GDPR states that personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Special rules exist for archiving in the public interest, for scientific or historical research purposes, and for statistical purposes. The GDPR does not contain special rules on storage limitation for employee-related data.
Are there certain types of personal data that are more tightly regulated, particularly in relation to employees?
The processing of special categories of personal data is more tightly controlled than other personal data and some personal data about employees may well fall into this category.
The special categories are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Processing of such data are prohibited unless one of the grounds in Article 9(2) can be established. These grounds include processing that is necessary in the employment field (see 9(2)(b), which should be consulted before processing such data, and where processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity: 9(2)(f).
The nature of your processing and the risks it poses to individuals’ rights and freedoms are factors to be taken into account in determining the appropriateness of the technical and organisational measures you should implement to ensure a level of security appropriate to the risk (Article 32).
Where should personal data be stored?
There are two main aspects you should consider when deciding where to store personal data you are processing - the media you use for storage and their geographical location.
The GDPR’s protection for individuals aims to be technologically neutral and not depend on the techniques used (Recital 15). Whether you use local, cloud-based, or any other kind of storage media (including manual processing based on storage of personal data in filing systems) will depend on your processing needs and your ability to achieve an appropriate level of security. This could, for example, involve using media that allow you to encrypt personal data. See the ICO discussion of encryption.
The GDPR is intended to remove obstacles to flows of personal data within the Union and Chapter V of the GDPR deals with transfers of data to third countries. The GDPR only permits transfers of personal data to third countries or international organisations (governed by public international law or an agreement by two or more countries) where the country or organisation ‘ensures an adequate level of protection’ of the data rights of natural persons set out in the Regulation. In the absence of an adequacy finding, the GDPR provides for a number of alternative safeguards through Article 46 to enable data controllers and processors to transfer personal data outside the EU/EEA. If you are intending to process personal data outside the Union you should familiarise yourself with these provisions.
Our GDPR pages provide useful information on various elements of GDPR as well as external links which may be of use.
The ICO provides a guide on preparing for GDPR which should be your first stop as you work towards compliance. They have also developed two checklists for data controllers and data processors which may be of use.
We have provided guidance for law firms on when it may be necessary to appoint a data protection officer.
We encourage you to share useful information with your colleagues. Everyone in your firm will have some responsibility for GDPR compliance.
Upcoming GDPR conference
Our GDPR conference, 'Get Data Protection Ready: Down to the wire', will be held at the Law Society on 17 April. Book now to hear from experts including representatives from the ICO, the National Cyber Security Centre and other law firms.