GDPR together with increasingly stringent data protection legislation in many jurisdictions presents a major headache for companies conducting investigations.
There are now significant challenges in lawfully reviewing employee data and doing so requires careful consideration and management of data privacy risks (and documentation of this process). Many organisations do not adequately manage these risks when conducting investigations but failure to do so may create new regulatory issues.
Why is this an issue?
- The concepts of personal data and processing are extremely broad under GDPR and employee consent, even where obtained, often cannot be relied upon.
- Data has become increasingly voluminous and complex (in that personal and work data is increasingly merged, for example on mobiles and tablets).
- Increased international and extraterritorial enforcement and cloud storage increases the need for cross-border data transfers when conducting investigations.
- Employees subject to investigations are increasingly aware of their rights to privacy and active in asserting them (and data privacy regulators are increasingly active in enforcing against companies that infringe data privacy laws).
What do companies who conduct investigations need to do to manage data privacy risks?
- As far as possible, ensure that they have obtained appropriate consents and provided appropriate privacy notices telling individuals how their personal data will be handled in the context of investigations. If these are inadequate they should be revised on a proactive basis rather than as and when an investigation arises.
- Teams who conduct investigations need to have a clear understanding of the grounds on which they can collect and review data, and the extent to which they are lawfully entitled to do so (including how to ensure that the data collected and reviewed is limited to what is necessary for the purposes of the relevant investigation). Teams should put in place practical and defensible protocols to follow when collecting and reviewing data.
- Legal advice should be sought in all relevant jurisdictions when collecting, reviewing and transferring data between jurisdictions and the process undertaken to consider and manage data privacy risks in these circumstances should be carefully documented. In all cases, particular care should be taken to ensure that any transfers of data overseas (both within and outside an organisation) comply with applicable data protection laws.
- Those interfacing with regulators and prosecutors need to be careful about whether data is provided to regulators (e.g. in some scenarios it may be beneficial to ask for voluntary requests to be compelled and it may need to be determined whether the regulator can legally compel the data in question, particularly where that data is overseas).
What are the grounds for processing personal data?
The GDPR sets out the conditions under which employees’ personal data can be processed. In order to process personal data lawfully, at least one ground must apply. The key grounds relevant to investigations tend to be:
- consent (it will not be valid unless it is: freely given; specific and informed, and/or unambiguous);
- processing in order to comply with the law (e.g. compelled requests where non-compliance would be an offence); and
- where processing is required for the company’s legitimate interests, except where these interests are overridden by the interests or rights of the data subject.
Organisations must inform their employees of how they will handle their personal data, including in the context of investigations in order to satisfy the transparency obligation under the GDPR. The provision of this information is also key to supporting an argument that the legitimate interest ground can be relied on.
It is possible to avoid providing notice of the processing (which is a requirement under Article 13 of the GDPR) in certain circumstances, for example if the crime and taxation exemption applies under the Data Protection Act 2018, provided that providing the information about the collection of data would be likely to prejudice the prevention or detection of crime. In some cases, an employer will be willing to take the risk.
Is a Data Protection Impact Assessment required?
An impact assessment is required if the investigation is likely to result in a ‘high risk to the rights and freedoms of natural persons” (for example, if conducting ongoing surveillance of employee communications). If this is the case, the company will need to consider and document the nature and scope of the proposed investigation, the reasons for conducting the review, its assessment of the necessity and proportionality of the measures, the risks associated with the processing, and the impact on the employee’s privacy.
Any legitimate interests assessment or data protection impact assessment must be kept under review and updated as required throughout the investigation (at least when there is a change of the risk represented by processing operations). When processing data, an assessment must be made as to whether it is being processed in a manner that is compatible with the original purpose.
In general, no sensitive or private employee data, such as personal photos, medical appointments or private emails should be collected or reviewed. In light of these considerations, possible approaches include: (i) limiting the timeframe of the review; (ii) limiting who has access to the data; (iii) using focused search terms and/or technology assisted review to restrict what communications are reviewed; and (iv) ensuring that all custodians can be justified.
In order to comply with the principle of accountability, details of any data protection decisions made in relation to an investigation, such as the legitimate interest balancing test outcome or a decision taken about the application of an exemption to the transparency requirement, should be documented in case evidence needs to be produced.
- It is now much more difficult to rely on an employee’s consent as a grounds for processing.
- If consent cannot be relied on, another ground for processing will need to be identified (usually the employer’s legitimate interest in reviewing the data).
- Where reliance is placed on the legitimate interests ground, the balancing exercise (i.e. between the interests of employer and employee) should be carefully documented.
- In some circumstances (e.g. employee surveillance) a documented impact assessment may be required.
- Processing should be necessity-based (only when and to the extent necessary – which should be re-evaluated throughout the investigation and re-documented as necessary).
- Additional requirements may apply where personal data is being transferred from one jurisdiction to another as part of an investigation.
- Steps should be taken to limit as far as possible the review of sensitive personal data.
 General Data Protection Regulation 2016/679.
 GDPR applies to organisations that are established in the EU (regardless of whether the personal data that they process is of EU data subjects or not). The GDPR also applies to the processing of personal data by non-EU entities, where such processing is in the context of offering goods or services to data subjects in the EU or in the context of monitoring of the behaviour of data subjects in the EU.