New Data Protection regime – implications for employers
At the end of May, the EU finalised its new regime for data protection. With a two year run-in period, the General Data Protection Regulation (or GDPR) will apply from 25 May 2018.
The GDPR aims to introduce a “one-stop shop”, with a common set of rules applying across the EU. Although the European Commission claims that this will save businesses some €2.3bn per year, its assessment has been challenged. For example, the Brussels European Employee Relations Group predicts not a saving but a cost for business of €3.3bn per year. Whatever the overall figure, within the employment arena, savings are unlikely: member states have a specific carve-out from the one-stop shop and will have power to impose more specific national rules.
The rules are backed up by tougher penalties. If you get it wrong, the maximum penalty is €20m or, if higher, 4% of worldwide turnover. Although not every mistake will lead to a penalty, the potential exposure will lead to most organisations putting greater focus on compliance.
The GDPR bites on any area in which personal data is processed; but it is in relation to employment that businesses are likely to process most data. So what are the implications for employers?
Information on data
Employers are currently required to provide information on the purposes for which data is processed. The GDPR extends this. Employers will need to specify the legal basis for processing. In an employment context, much processing relies on the employer’s “legitimate interests”. These interests will need to be spelt out. Employees will also be entitled to information on how long data will be kept and on legal rights such as the subject access right.
Consent is commonly used as a legal basis for processing – normally through the contract of employment. The new rules tighten this. Consent must be informed and freely given with a genuine choice. Employees can withdraw consent at any time.
Data subjects’ rights
The rules on data subject access will change. The fee will be abolished and the time for compliance reduced to one month (though this may be extended where a request is complex). If a request is manifestly excessive, the employer may either charge or refuse to carry it out – a positive change which should lead to constructive discussion over the information to be provided.
Data subjects will have the benefit of a package of other rights: to erasure (the right to be forgotten), and rights to rectify, restrict and object to processing
Employees make mistakes – they leave laptops on trains, send emails to the wrong person and are careless with passwords. Under the new rules, employers discovering a data breach must notify the regulator and keep records.
Other changes include:
• Rather than simply complying with the law (as now), employers will have to demonstrate compliance; an obligation which shifts the burden of proving compliance to the employer.
• Data protection by design – when developing new systems, building in safeguards to protect data. Employers looking at new HR systems, should take this into account in the specification.
• Data protection officers (DPOs) must be appointed if core activities involve systematic monitoring or large-scale processing of sensitive data and in the public sector. A DPO may be an employee or consultant – but must be independent.
And what about Brexit?
If the UK votes for Brexit and leaves the EU, will that make a difference? Although the GDPR would not apply directly, if data is transferred to the UK from within the EU, the UK will have to meet EU standards of protection. Also, if UK businesses offer goods or services within the EU (as they will of course), they will have to comply with the GDPR.
Although there may be some room for flexibility as to the details, Brexit will not make much difference.
What should employers do now?
Although the new rules will not apply until 2018, forward planning is a good idea. The potential penalties will lead to boards taking a more active interest.
• Get granular: identify data systems, personal data and what you do with it;
• Understand the legal basis for processing the data. Work out your “legitimate interests”.
• Identify who takes overall responsibility – consider appointing a DPO
• Review documentation – you will need a lot more.
• Establish a policy with a timeline for handling data breaches.
Training will be vital.