Heralded as the biggest development in data protection in the last 20 years, the new General Data Protection Regulation 2016 (“the Regulations”) are due to come into force in May 2018. The changes will completely overhaul the current data protection regime in Ireland.
The Regulations will replace the current legislation, the Data Protection Acts 1988 to 2003 (the “Data Protection Acts”) although it is expected that new local legislation will be introduced in its place.
The Regulations will have a number of important implications for all employers in Ireland. While the Regulations affect all data controllers, this article focuses on some of the key changes that employers will need to consider and prepare for.
1. New rules for dealing with employee Data Access Requests
Under the current legislation, employers must respond to employee data access requests within 40 days and can charge a fee of €6.35 for dealing with these requests. Under the Regulations, fees will be abolished and the timeframe for dealing with these requests will be reduced to 30 days.
2. The appointment of a Data Protection Officer
Under the Regulations, certain organisations are required to appoint a Data Protection Officer. These include:
- A public authority or body
- Organisation’s whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale.
- Organisation’s whose core activities consist of processing on a large scale of special categories of data relating to criminal convictions and offences.
However, even if your organisation does not fall within these specific categories, the current best practice working assumption view is that all organisations will need either a DPO or at least access to one.
The Regulations provide that the DPO must be independent and must report to the highest level of management in the organisation. While the role can be fulfilled by an existing employee, the Regulation makes it clear that this is only permissible where there is no conflict of interest for that employee. This may exclude HR managers from also covering the DPO function.
In order to protect the independence of the position, the Regulations confer certain employment protections to those fulfilling he role. It provides that the DPO cannot be dismissed or penalised for performing his or her tasks.
We will be issuing a further blog next week exploring the roles and duties of a PDO.
3. The right to be forgotten
The Regulation puts the “right to be forgotten” on a statutory footing and provides that an employee may request the deletion of his or her data, provided that there are no legitimate grounds for the employer retaining it. Employers are already dealing with an increasing number of data access requests and employers should be prepared, in due course, to deal with “right to be forgotten” requests in addition to the standard data access requests.
4. Breach notifications
There is currently no legal obligation for an employer to report a data breach to either the Data Protection Commissioner or affected employees. This will change as the Regulations introduce an obligation to report all breaches within 72 hours to the Commissioner (unless the breach is unlikely to result in a risk to the data subjects) as well as an obligation to report all high risk breaches to any affected employees. Practically speaking, this obligation will require employers to establish a data breach response procedure.
The current data protection legislation does not provide for the possibility of compensation to affected employees. However, the Regulations provide that any person who has suffered damage as a result of an infringement shall have the right to receive compensation. This provision significantly strengthens an affected employee’s rights and may ultimately put a monetary value on personal data breaches. Employers should expect that disgruntled employees may start to claim breaches of data protection rights on top of the usual claims in an effort to increase any negotiated exit payments.
6. Significant increase in fines for breach of the Regulations
Currently, only a very small number of breaches constitute an offence carrying potential fines (up to €3,000 on summary conviction or €100,000 on indictment). Furthermore, prosecutions in the HR context are reasonably rare.
Under the new Regulations, a number of new offences have been created (including the failure to comply with a data access request). In addition, significant fines can be imposed on employers for a breach of the Regulations. There will be two categories of administrative fines as follows:-
- Fines of up to €10 million or up to 2% of turnover, whichever is the higher.
- Fines of up to €20 million or up to 4% of turnover, whichever is higher.
While it is very unlikely that fines of this magnitude will be imposed on employers, save in the most serious of cases, the size of the potential fines clearly demonstrate the importance that the EU places on data protection rights.
Given these fines and the risk of compensation, employers are advised to get “Regulation Ready” by conducting a data protection audit of their data collection, processing and retention procedures. Employers will also need to review and update their data protection policies ahead of the introduction of the Regulations.