After years in the making, mid December 2015 finally saw the EU Commission agree on the text of new data protection legislation. At the heart of the legislation will be the General Data Protection Regulation (GDPR), which will repeal the current UK legislative framework contained in the Data Protection Act 1998 (DPA). The GDPR will seek to modernise data protection laws in line with the new digital age in which we live. It also has the purpose of harmonising data protection rules across the EU.
The agreed text of the GDPR has already been published. Although we are still awaiting official guidance and various statements of practice on how organisations will be able to comply with the new rules, the agreed text gives the green light for employers to start planning for when the new regime takes effect. It is expected that the GDPR will be formally adopted in Spring of this year with an anticipated date of March 2018 for the new rules to become law.
What are the headline points for employers?
Consent will need to be freely given, specific, informed and unambiguous. Consent obtained by standard data protection clauses in contracts of employment is unlikely to meet this new definition. This means that employers will need to find a new mechanism for obtaining an employee’s consent or find another ground on which to lawfully process an employee’s data. Finding an alternative lawful ground for processing is unlikely to be difficult in the employment context but employers will need to give thought to each separate category of employee data and record the ground upon which they will rely in each case. In other words, the ‘one size fits all’ approach will disappear and consent will no longer provide the safety net it has traditionally been for employers.
It will also be important for employers to consider whether obtaining renewed consent from existing employees is necessary and, if so, how that is best approached.
Subject Access Requests
Subject access requests have become the bane of many HR practitioners lives over recent years. Disgruntled employees have tended to use the mechanism as a pre-cursor to employment litigation and / or to add nuisance value. The current fee of £10 chargeable by employers will disappear albeit employers will be given some discretion to charge a reasonable fee based on administrative costs in limited cases where the request is’ manifestly unfounded or excessive’ (e.g. in the case of repeat requests) or where there are grounds to refuse the request. The 40 days statutory timeframe for a response will also be removed and instead be replaced with an obligation on employers to comply without ‘‘undue delay’ and within at least one month of a request. An extension of up to 2 months will be possible for particularly complex requests. Arguably, the removal of the 40 day window for response has made an employer’s duty to comply with subject access requests more onerous.
Enhanced Data Subject Rights
The GDPR will introduce tougher obligations around the quality of the data held by organisations and the period for which the data will be stored. This will be directly relevant to personnel records and other employee data held by employers. Furthermore, under the GDPR, data processing must be carried out for the original purpose(s) for which it was collected unless the new purpose is compatible. This is something that employers will also need to keep their eye on.
The Right to be Forgotten
There has been much publicity around this concept since Google’s search engine practices were found to be in breach of existing EU data protection law in 2014. In fact, on 11 February 2016, Google announced that requests from individuals to remove information about them mean that removed results will not appear on any version of Google worldwide (e.g. Google.com) where a European IP address is detected. Previously, search results were only omitted from European versions of Google.
The protection afforded by this concept is clearly strengthening and the GDPR will give further weight, with the effect that where an individual no longer wants their data to be processed (and providing there are no justifiable grounds for retaining it) the data will have to be deleted.
Cross border data transfers
The GDPR contains similar restrictions on transfers of personal data outside the EU as under the DPA. Data can be transferred under a Commission adequacy decision (the GDPR contains details of how these should be reached); standard contractual clauses or binding corporate rules for intra-group transfers. In addition, there are limited possibilities to transfer data with consent or where it is necessary for the performance of a contract. All of this this will be relevant where employers wish to transfer employee data abroad, perhaps in order to keep employee data in one central global HR function.
Of relevance to this issue is the very recent announcement of the European Commission that a new agreement for the transatlantic transfer of data has been agreed with the US Authorities. The new UE-US Privacy Shield was necessary in light of a landmark decision of theECJ in October 2015 which declared UK – US data transfers under the previous safe harbour principles unlawful. A decision of adequacy on the proposed new framework is expected in the foreseeable future which should give organisations certainty as to whether transatlantic data flows under the proposed regime are lawful.
Taylor Wessing’s data protection experts will be holding a webinar on the EU-US Privacy Shield and the future for US data transfers on Tuesday, 15 March 2016 16:30 – 17:30 GMT(12.30 – 13:30 EDT) to discuss the developments with a particular focus on what comfort the Privacy Shield really brings and what the regulators think, including their attitude to enforcement on this issue. The webinar will also review the remaining valid EU-US data transfer mechanisms in the form of model contract clauses and Binding Corporate Rules and at what to expect over the coming months.
Data Protection Impact Assessments
Organisations will be required to carry out data protection impact assessments (DPIAs) if their proposed activities are likely to result in a high risk for the rights and freedoms of individuals. The obligation to undertake and document DPIAs is likely to be triggered when employers use psychometric testing techniques and where vetting of employment candidates regularly takes place. These are just two examples and there are likely to be others.
Employers will need to inform the regulator of a personal data breach within 72 hours of becoming aware of the breach unless it is able to demonstrate that the breach is unlikely to result in risk to the individual’s rights and freedoms. Whilst self-reporting has always been an option open to employers in order to mitigate the risk of enforcement action, this has now become an obligation on employers for, arguably, all but the most trivial of breaches.
Data Protection Officers
There is a requirement to appoint a data protection officer (DPO) where an organisation’s core business involves processing personal data involving regular and systematic monitoring of data subjects or large amounts of sensitive personal data. Member States will have discretion to enact national provisions imposing further requirements regarding the appointment ofDPOs. This obligation has been watered down materially from the original proposal and HR departments should keep an eye on how this particular concept develops to assess whether aDPO needs to be appointed in the case of their organisation.
This legislation will bite. There will be vastly increased levels of monetary penalties for non-compliance. Fines will be levied up to 4% of annual global turnover or 20 million Euros, whichever is greater.
What should employers be doing now?
This is relatively straightforward in comparison.
There are a number of immediate practical steps which HR departments can take to prepare for compliance with the new framework:
- Carry out an HR data protection audit on the organisation’s current data protection policies and practices. This will identify areas which will need to change in order to comply with the new rules.
- Any audit should include a careful review of existing contracts of employment, staff handbooks and employee polices relating to data protection and subject access to assess what amendments will be required.
- Start thinking about putting an effective policy in place for reporting future data breaches. It is suggested that any data breach response plan will need to tie in closely with an organisation’s current whistleblowing procedures. Make a preliminary assessment of which employees within the organisation will require early training on the new reforms with a view to rolling out revised data protection training for all employees nearer to the date of implementation.
- Appoint someone within the organisation to oversee compliance with the reforms.
- Keep an eye on the ICO website for any updated guidance on how to prepare for compliance. We will also be monitoring developments closely and reporting regularly on Taylor Wessing’s Global Data Hub.
What to take away?
Data protection can be a difficult and laborious issue for HR practitioners to grapple with and the planned reforms do nothing to change that. The new data protection regime is complex and will only add to the workload of HR departments in the long run unless careful planning is taken to ensure that employers can fully comply with the rules when they become law in early 2018.
In our experience, many employers tend to regard data protection compliance as low risk and often choose to take a pragmatic view on whether full compliance is necessary. This is sometimes due to the effort involved and perhaps the reasonable approach the Information Commissioner’s office has taken to date on enforcement of all but the most serious issues. It is important to bear in mind that the data protection landscape will change materially upon the new EU data protection legislation taking effect. Not only do employers risk much more onerous penalties for breach (see above) but, unlike when the Data Protection Act 1998 first came into force, there is unlikely to be any transitional period or ‘soft landing’ which allows organisations time to get up to speed with the new rules and during which the ICO may be inclined to take a light touch approach to compliance. There is no time like the present and the time to act is now.