In the latest article of the GDPR series, Razia Begum and Rachel Ashwood consider the potential litigation, financial, reputational and operational risks for employers who fail to comply with the GDPR.
The GDPR provides an opportunity for organisations to showcase a high standard of personal data protection, which in turn could increase confidence in your brand and enable you to source the best talent, users and customers.
On the other side of the coin, the potential for a fine of up to €20 million or 4% of annual worldwide turnover (if higher) for failure to comply with the GDPR, is enough of an incentive to make data protection compliance a priority for most employers. The financial stakes are certainly high. The repercussions of non-compliance, particularly from a HR data point of view, extend beyond the headline fine. This article looks more closely at each of these risks.
The GDPR widens the scope for individuals to bring private claims in terms of who they can sue and what they can sue for.
Under the GDPR individuals can bring private claims against both data controllers and data processors. Currently it is only data controllers (such as employers) that are liable to data subjects, however the GDPR will mean that data processors (such as external HR providers – including providers of virtual HR services), can also be liable if they are processing personal data on behalf of the employer.
Successful private claimants may currently be awarded compensation for personal data breaches, only where they can prove financial loss. Under the GDPR this is no longer a requirement and instead, compensation may be awarded for non-financial loss such as for distress or injury to feelings. Dealing with such claims can lead to employers incurring significant costs, as well as having to devote management time and effort to defending the claim.
Group action claims/leverage
At the end of last year, the first UK group action claim in relation to breach of an organisation’s data protection obligations was heard in in the High Court. The case was brought against Morrisons Supermarket Plc by nearly five thousand of its employees and former employees, whose personal data had been unlawfully disclosed by a former “rogue” employee of Morrisons. The High Court found that Morrisons was vicariously liable for the deliberate data breach and whilst the issue of quantum has not yet been decided, the outcome is likely to be extremely costly for the supermarket. See article here.
Whilst the Morrisons case was brought under the Data Protection Act 1998, it is likely that we will see more of these types of “class actions” in the employment arena under the GDPR. This is because under the GDPR, employees will be able to mandate a not-for-profit body, organisation or association to exercise their rights and bring claims on their behalf. This right opens the door for employees to consider group actions, potentially through trade unions, where they feel that an employer has not complied with the rights that they should be afforded under the GDPR. There are multiple risks associated with a successful group action claim against an employer including financial, reputational and organisational. Even simply the threat of such a claim can be a powerful bargaining chip for employees during the course of any financial and/or settlement negotiations with their employer.
The “eye-watering” fines for breach of the GDPR are unsurprisingly attracting the attention of board level executives, not to mention the media. The GDPR sets out a tiered approach for breaches, with non-compliance of fundamental principles attracting the largest fines. Factors such as the type of breach, its scope and the duration, are taken into account when determining the appropriate level of fine. In other words, there are no hard and fast rules on what businesses will be fined in the event of a breach – leaving it ultimately to the discretion of the authorities.
A breach of fundamental principles includes (amongst other things) failing to demonstrate that suitable consent has been provided by employees for the processing of their personal data. This is particularly pertinent given that traditional blanket data protection consent clauses in employment contracts are unlikely to provide a valid basis for processing HR data under the GDPR. Such consent is unlikely to be “freely given” (as required under the GDPR), given the typical imbalance of power between the parties. Employers and HR practitioners will therefore have to reconsider their legal justification(s) for processing data under the GDPR.
In the past 12 months, organisations such as TalkTalk, Tesco and Yahoo, have failed to adequately protect their customer data and have suffered substantial reputational damage as a result. The fines levied against these businesses are relatively insignificant in comparison to the loss of consumer and investor faith, caused by reputational harm following their respective data breaches.
The speed at which the media operates in today’s society means that within hours of a data breach, an employer’s name can be splashed across the internet, social media platforms and other media outlets. The result in most cases is adverse publicity and damage to the organisation’s brand and goodwill. Whilst these high profile breaches specifically concerned customer data, any breach of HR data could have similar reputational consequences for an employer. For example, if consumers learn that a business cannot protect its own employee’s personal data, they are less likely to trust that business with their personal information.
The GDPR continues to receive significant media and market attention, especially with the draft Data Protection bill expected in September. Employers can be sure that the Information Commissioner’s Office will be seeking to make examples of organisations that do not comply with the new legislation. In fact, in the run up to the GDPR the number of organisations (be that commercial businesses both large and small, local authorities and even charities) that have been fined for data breaches has markedly increased. Some have observed this is simply a warm-up exercise of what is to come under the GDPR.
The reputational risk for a data breach is further increased given the attention which is likely to surround the first examples of where enforcement action is taken under the GDPR. Employers should therefore ensure that they get their own processes, procedures, systems and documentation in order in respect of HR data, which has equal importance as customer or commercial data.
Employee relations/staff morale
Breaches of the GDPR may leave employers exposed to employee relations or staff morale issues. Data breaches which concern HR data are likely to be the topic of conversation amongst the workforce. Inevitably this may build a culture of distrust amongst the workforce. Moreover, persistent breaches of the GDPR could leave employees feeling that their personal data is not secure and may lead to complaints, grievances, claims and general disgruntlement among staff.
Whilst we hope that most organisations have now started their GDPR planning and preparation, for those that haven’t an appreciation of the risks for failure to comply with the GDPR (as described in this article) should hopefully now help focus the corporate mind on this key area.
If you require any further information or advice about matters covered in this article or any other aspects of the GDPR, please contact Razia Begum or Rachel Ashwood. You can also read about our GDPR toolkit for HR practitioners here.
Read the previous article in the GDPR series – Who is your lead supervisory authority?