The General Data Protection Regulation (GDPR) comes into force from 25th May 2018. This is the new governing legislation for collecting and processing personal data in the EU. The regulation is replacing the current UK data protection regulations and will be applicable to all member states (the 28 countries that make up the European Union (EU) and operate in the single market which allows free movement of goods, capital, services and people within the EU). The changes will result in the harmonisation of data protection regulations in place in member states, with stricter obligations on the processing of data and increased rights for the subjects of processing of data and sensitive data. The regulation extends to where data is held outside the UK.
The UK’s impending exit from the EU, following a two-year process, does not preclude the UK from being subject to these regulations.
The Information Commissioner’s Office (ICO), has confirmed that following the UK’s exit from the EU, the UK based regulations are likely to continue to follow the principles of the GDPR. The new regulation is comprehensive – below is a snapshot of the main changes and enhanced requirements.
Changes at a glance
Significant penalties can be imposed on employers that breach the GDPR, including fines of up to €20.000.000 or 4% of annual worldwide turnover, whichever is greater. The level of fine will depend on the type of breach and any mitigating factors, but nevertheless there will be substantial increases from the current position.
The stricter obligations on the processing of data and increased rights for the subjects of processing of data and sensitive data, will mean that from an employment perspective organisations will need to review what data they have, the purpose and why they are processing it.
Current consent statements and contract clauses that employers rely on are unlikely to be adequate under GDPR. The Regulation has introduced more prescriptive requirements for obtaining consent under GDPR. The ICO specifies that consent must be ‘freely given, specific, informed and unambiguous’. This means that broad consent clauses in employment contracts to process employee data will not be valid. As under the Data Protection Directive, consent to process sensitive data must be explicit. Consent to transfer personal data outside the EU will also need to be explicit.
Another important key change is that employees will have the right to withdraw their consent at any time. GDPR’s increased ‘consent’ requirements means that employers are likely to need to rely on other grounds for processing data. There are other justifications for processing data; compliance with a legal obligation, the performance of a contract, for the purposes of the legitimate interests of the employer or a third party.
Data Subjects’ Rights
The regulation largely preserves the existing rights of individuals to access their own personal data.
Changes for the Employer:
- Employers will no longer be able to charge a fee in relation to subject access requests.
- Employers will have one month to respond to subject access requests. However, there will be the ability to extend this by a further two months if the request is complex or if the employer has received a large number of requests.
- Other features are significant new rights for employees, including the ‘right to be forgotten’ and the right to data portability – data access in an electronic format.
GDPR increases the amount of information employers need to include in privacy notices. Employers will need to explain the legal basis for processing the data, data retention periods and the right to complain to the ICO if they believe there is a problem with the way the employer is handling their data. All information provided must use clear language, be concise and easy to understand.
Data protection by design and Data Protection Impact Assessments
This essentially refers to designing projects, processes, products or systems that consider privacy implications at the outset. Privacy Impact Assessments will assess where privacy breach risks exist and how to minimise them. Although a privacy by design and data minimisation approach has always been an implicit requirement of the data protection principles, GDPR will make this an express legal requirement.
New breach notification requirement
The GDPR imposes a new mandatory breach reporting requirement. Where there has been a data breach (such as an accidental or unlawful loss, or disclosure of personal data), the employer must notify and provide certain information to the data protection authority within 72 hours. The ICO has outlined that companies should notify the ICO where the data breach means that the individual is likely to suffer some form of damage, such as identity theft or a confidentiality theft. Where the breach poses a high risk to the rights and freedoms of an individual, they will also have to be notified.
Data Protection Officer
Organisations will need to establish if they need to appoint a Data Protection Officer. All public authorities and private companies involved in regular monitoring or large-scale processing of sensitive data will need to appoint a Data Protection Officer. The Data Protection Officer will advise on GDPR obligations, monitor compliance and liaise with the data protection authority (ICO). There is no express requirement for them to hold a professional qualification or certification, however they are required to have knowledge, support and authority to undertake their responsibilities effectively.
How to prepare now and key considerations and actions from a HR perspective
Although many of the GDPR’s main concepts and principles are much the same as those in the current data protection act (DPA), as outlined above, there are various enhancements to the existing principles. Important steps to take now include:
- Carry out a data audit. Carefully assess current HR data and related processing activities and identify any gaps with the GDPR.
- Review current privacy notices and update them to comply with the more detailed information requirements. All information provided must be easy for employees and job applicants to understand.
- Assess the legal grounds for processing personal data. Where consent is currently relied on, check if it meets GDPR requirements and remember that consent may be revoked at any time. Employers will generally need to rely on one of the other legal grounds to continue to process employee personal data.
- Develop a data breach response programme to ensure prompt notification. Allocate responsibility to certain people to investigate and contain a breach, and make a report. Train employees to recognise and address data breaches, and put appropriate policies and procedures in place.
- Determine if a Data Protection Officer must be appointed and, if so, think about how best to recruit, train and resource one.