Data Protection Reform – Advance Planning by Employers will be Key
After years of negotiations and consultations, in mid-December 2015 the EU informally agreed to new data protection legislation – a regulation and directive – which will replace the patchwork of current data protection laws dating back to the mid-90s.
The penalty for breaking the new rules will greatly increase: potentially up to €20,000,000, or 4% of the total worldwide annual turnover of an organisation (compared to currently a comparatively low maximum of £500,000 in the UK), so employers who currently regard data protection compliance as a low-risk issue will need to re-assess this position.
The size of the potential liability will mean that HR Directors and In-house Counsel who may in the past have taken a pragmatic view on employee data protection risks when dealing with eg cross-border employee investigations, will in future need to ensure that they pay as much attention to the data privacy issues and liability as to the employment law and discrimination risks.
There is no question that the work ahead for large employers generally will be considerable: employers will need to think about redesigning their data protection systems, revising their data protection policies and training, renegotiating their contracts with data processors and looking at their arrangements for the transfer of employee personal data, to take some examples.
What are the aims of the reform?
The aims of the reform are to:
- Reinforce data protection rights of individuals;
- Facilitate the free flow of personal data in the digital single market; and
- Reduce administrative burden.
The European Commission estimates that the new rules will bring benefits at €2.3 billion per year.
What constitutes the reform?
The reform consists of two pieces of legislation:
- The General Data Protection Regulation (GDPR), to enable European citizens to better control their data; and
- The Data Protection Directive, which focuses more on the police and criminal justice sectors.
In this news alert, we briefly focus on some of the key changes for employers who process personal data and what they should do now to plan ahead for 2018.
Key changes for employers:
- One-stop-shop: unlike the patch-work of 28 different supervisory authorities, the reforms will mean that companies which do business in the EU will only have to deal with one single supervisory authority with a pan-European scheme. Greater harmonisation is likely to be viewed favourably by many employers, however, member state law or collective agreements may provide for specific rules on the processing of employee personal data.
- Consent: to process personal data, employee consent will need to be freely given, specific, informed and unambiguous. Currently employers typically rely on a brief statement agreeing to data processing which is included in the employee’s contract of employment or staff handbook or implied consent (although the ICO has never endorsed this approach). Consent obtained via employment contracts etc is unlikely to be sufficient under the reforms, which will now require a “clear affirmative action establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement” to the processing of personal data.
- Transparency & Information: at the moment employers are required to fufil a number of conditions when processing personal data e.g. ensuring that the processing is necessary and the data fairly and lawfully processed. The reforms will introduce tougher obligations, including, on the data’s quality, in that it should be concise, transparent, intelligible, easily accessible and using clear and plain language. Other rights (some of which exist currently), will include the right to be told the legal basis for the processing, the period for which the data will be stored, the right to access to and rectification and erasure of personal data and the right to lodge a complaint to a supervisory authority.
- A “right to be forgotten”: where an individual no longer wants their data to be processed (and providing there are no legitimate grounds for retaining it e.g. compliance with a legal obligation etc) the data will have to be deleted.
- Data protection by design and data protection by default: employers will need to put in place ‘technical and organisational’ measures to ensure that they comply with the regulation. This will include adopting internal policies and measures which meet the reform’s principles of data protection by design and data protection by default. The onus will be on employers to be able to demonstrate compliance with the regulation. Certain circumstances will also require impact assessments to be carried out (where processing operations are likely to result in high risks for the rights and freedoms of individuals).
- Subject access requests: the current fee of £10 chargeable by employers when processing a data subject access request (SAR) will be removed, although a reasonable fee based on administrative costs may be chargeable where the request is unfounded or excessive (e.g. repeat requests) or the request can be refused. The 40 day statutory time frame for responding to a SAR will also be removed; instead information will need to be provided without undue delay and, at the latest within one month of receipt of the request. It will be possible to extend this for a further two months where, for example, the request is particularly complex.
- Outsourcing data processing: whereas data controllers have typically held primary responsibility for compliance with the current data protection laws when outsourcing processing, both data processors and controllers will have liability under the regulation and will need to ensure that appropriate safeguards and measures are in place for compliance, along with evidence of the processing activities.
- Data breaches: where a personal data breach occurs, employers will need to notify the supervisory authority without undue delay and no later than 72 hours after having become aware of the breach, unless the employer is able to demonstrate that the personal data breach is unlikely to result in a risk for the rights and freedoms of individuals.
- The organisation to appoint a data protection officer: previously it was proposed that processors who employ 250 persons or more would be required to appoint a data protection officer, this will now only be relevant in limited cases, mainly those organisations which regularly and systematically monitor data subjects on a large scale or process sensitive personal data.
- Whilst there is a two year framework for employers to get their data protections obligations in order, planning needs to start shortly for larger employers in particular, given it is likely to be a lengthy process.
- Identify within your organisation who will spear-head compliance with the new regime. Ensure they have the necessary information to do so effectively and have the time and organisational support to plan for the reforms.
- Review and consider the reform documents when they are published in spring.
- Carry out a data protection audit on your organisation’s current data protection policy and processes to establish what changes will need to be made to be compliant under the new regime. Keep an eye on the ICO website (www.ico.org.uk) for advice and guidance on what steps can be taken to prepare.
- Review your contract of employments, staff handbook and other related policies to consider how they currently deal with issues such as consent to data processing.
- Consider how data will be readily accessed and removed where data subjects have withdrawn consent or the data is no longer necessary.
- Start putting together a data breach response plan which carefully considers the process for effectively notifying data breaches, including the documentation necessary. Specific roles and responsibilities should be allocated in due course, to ensure compliance with the regulation’s time frames, along with the training of staff.