We all know that sharing personal space with others when you or they are sick is a risk to your health, but it may come as a surprise that sharing the personal data of contingent workers can present a risk to the health of your company under the General Data Protection Regulation. Under the GDPR, both staffing firms and employers may suffer the consequences of failing to follow basic rules of hygiene.
In a staffing supply chain, data flows between several parties, each making use of that data for different reasons. In addition to the staffing supplier and the client employer, the parties may include an MSP, an umbrella company, a payroll provider and background check service providers. The personal data may be processed for the purposes of recruitment, administering payroll, onboarding and management, paying tax or keeping records for health and safety. In some form, the data may also be used for analytical purposes and marketing.
Data Flow and Purpose
The first step in complying with the GDPR is to map the flow of personal data and the purposes for which it is used. It is important that for any processing activity, including sharing personal data with others, that there is a lawful basis for doing so. Of the six lawful bases permitted by the GDPR, four are most likely to apply to data processed as part of the contingent worker supply chain:
- The individual worker has given specific informed consent;
- the processing of personal data is necessary for the performance of a contract with the worker;
- the processing is necessary to comply with a legal obligation; or
- it is necessary for the legitimate interests of your business.
The second step for any recipient of personal data is to inform the individual data subject by means of a “privacy notice” that they have the individual’s data. This must be provided at the point of collection or as soon after receiving the data from a third party as possible. A reasonable period for providing such information to an individual who is otherwise unaware that you have their data is one month or on first communication with that person.
The notification must include:
- What data you are collecting,
- how you collect it,
- what you will use it for,
- with whom you will share it,
- how long you will keep it, and
- how you will safeguard it.
For some activities, such as direct marketing to potential and former candidates or clients, you may need to obtain consent. However, consent should be limited to those activities and not the processing for which you have another lawful basis for using their data. For further information on consent read my blog post in The Staffing Stream, “No consent, no processing – the myth of GDPR.”
The third step for an organization that shares personal data with third parties, is to enter into a data-sharing agreement with the other organizations. This may be a standalone agreement or, more commonly, part of the terms and conditions defining the relationship between those two parties.
Controller or processor? The entity in possession of the data will normally be a “data controller” for the purposes of GDPR and the recipient a “data processor.” The controller is required to assess the suitability of the data processor and the processor must only process the personal data in accordance with the terms of the data-sharing agreement.
Defining duties, liabilities. Both controllers and processors have duties and liabilities under the GDPR and these should be addressed in the agreement. The controller will ultimately remain liable to the individual for what happens to the data, but the processor may be subject to penalties for breaches of security and a failure to comply with their duties under the GDPR. The data-sharing agreement must therefore address liability and provide mutual indemnities where appropriate.
Joint controllers. In some circumstances, both parties — say, a staffing firm and a client employer — may maintain that they are the data controller in respect of the same data. Essentially, a controller is the one who determines how and why personal data is processed. There is no requirement for a contract between joint controllers (i.e., they determine the purpose and means of processing together) or controllers in common (i.e., both parties are controllers but they determine the purposes and means of different processing activities in relation to the same data). But the GDPR requires joint controllers to determine their respective responsibilities in a transparent manner and inform the data subject. It makes sense to document this arrangement in a data sharing agreement and spell out the lines of responsibility and liability to avoid disputes at a later stage.
And finally, any organization that handles personal data must look at its own internal governance to make sure there are robust safeguards to keep the data secure, and processes to abide by basic data protection principles. Key to this will be two principles, data minimization and limiting access to data.
By reducing the amount of personal data to only what is relevant, accurate, up to date and adequate for your needs but no more, will go a long way to ensuring that you stick to best practice. Limiting who has access to the data and training those who come into contact with personal information on their legal responsibilities will provide another defense against breaching the GDPR.
For further information on the GDPR, CWS Counsel and SIA members may download the report “Implementing GDPR: A Guide.”