In the second of the series by Crowley Solicitors on data processing in the workplace, Eimear Boyle gives an overview of the prevalence of risk and explains how HR professionals should start thinking about their approach to and involvement in some of the risk assessments required under the General Data Protection Regulation (GDPR).

The GDPR obliges controllers and processors of personal data to take a risk-based approach to their processing activities. For business units operating in a risk-based environment this will be a familiar concept and language but for many HR professionals the world of risk is unchartered, yet many of you will now be asked to contribute to or even complete risk assessments.

When does the GDPR oblige you to address risk?

Quite simply, everywhere; the GDPR consistently requires controllers to have regard to the likelihood and severity of risk(s) to the rights and freedoms of natural persons as a result of their processing activities.

Some specific examples of where addressing risk arises in the context of data processing at work include:

• The introduction of a new technology to monitor employees, for example, by monitoring incoming and outgoing emails as a means of detecting threats to your IT systems or using mobile device management. From 25 May 2018, prior to the introduction of the technology and initiating the data processing activity, a data protection impact assessment (DPIA) should be conducted. A critical part of any DPIA is risk identification, assessment and mitigation. Depending on the strategy adopted by your organisation, you will likely be asked to contribute to a DPIA consultation process. A specific part of a DPIA is to assess the risks to the rights and freedoms of data subjects, in this case, employees. As the data subject facing part of the organisation, it is logical to expect that the views of the HR team will be sought when assessing and mitigating the risks to employees.

• Monitoring of employees outside the workplace. Keeping with the monitoring technology theme, the risk to an individual’s privacy is often increased when devices used for work are deployed at home, for example, remote working. The employer’s concern for the security of their systems when employees work remotely is based on the perceived increased risk of unauthorised access to the employer’s systems. Whilst this risk assessment may be valid, an employer should be careful not to overstep the line when deciding on how to mitigate the risk. The use of overly intrusive monitoring technology is unlikely to be a proportionate means of mitigation. Ensuring all mobile devices are properly secured and encrypted together with training employees in the appropriate security measures when they are working offsite are considered less intrusive and, therefore, proportionate to the risks posed. A transparent, clear and appropriate “bring your own device” policy must also be implemented, so that there are no blurred lines between any monitoring or scanning of the personal aspects of a device in the context of securing the transfer of the employer’s own data.

• The extraction of personal data from a candidate’s social media account(s) to use as part of the recruitment process – whilst this may be common practice it is not permissible under current data protection legislation nor the GDPR, unless the prospective employer has a legal basis to do so and has clearly informed candidates of this practice. In terms of having a legal basis, the employer may have concluded, based on the risk profile of the role that they need to review social media profile(s). A prudent approach should be taken towards assessing risk and why the risk ranking makes it necessary for the prospective employer to review and use personal data in this context.

• A personal data breach – under the GDPR, a personal data breach must be notified to the relevant supervisory authority (ies) or to data subjects depending on the level of risk to the rights and freedoms of natural persons. Where there is a risk to these rights and freedoms, the controller must notify the breach to the supervisory authority within 72 hours of becoming aware of the breach (Article 33 (1)). Where the risk is high, the controller must communicate the details of the breach to the data subjects “without delay” (Article 34 (1)).

Some of the types of risks to individuals that you may wish to consider in an assessment include: distress, inconvenience, identity theft, financial loss and physical harm. Where special category (sensitive) data is involved, the risks to individuals is automatically greater. The same is true where a large number of individuals are at risk of being affected by the processing activity.

By way of practical advice to organisations in general, we always recommend documenting risk assessments and maintaining a risk register to log and track the risk journey from inception through to analysis, ranking and mitigation together with the clear reasoning and justification for proceeding with processing activities notwithstanding the risks. In the event of an audit or inspection by the supervisory authority into processing activities or for your internal use as part of your regular auditing or in the instance of a personal data breach, your risk assessments and risk register will give you a head start in accounting for your organisation’s data processing activities.