The new General Data Protection Regulation ("GDPR") entered into force on 24 May 2016, and will apply with effect from May 2018. We review some of the main implications for employers.
What is the GDPR?
The GDPR will replace the current Data Protection Directive. It applies directly in each Member State, which should reduce the level of national variation in relation to data protection law.
Employers must currently provide employees with certain information about the processing of their personal data, including the identity of the data controller and the purpose for which their data is being processed. The GDPR expands on this and requires employers to also inform employees how long their data will be stored and of any data transfers to third countries. Employees must also be informed of their right to make a data access request, to rectify or to delete their personal data.
Consent is often used as a legal basis for the processing of personal data. Where consent is relied upon, the consent must be freely given, specific, informed and unambiguous.
Employee consent is generally not considered by EU data protection regulators – including the Irish Data Protection Commissioner (“DPC”) – to be valid. This is because an employee’s consent is usually not deemed to be “freely given”, in light of the imbalance of power between employee and employer.
The GDPR reflects this position, and states that in assessing whether consent has been freely given, account shall be taken, for example, of whether the performance of a contract is made conditional on the consent to processing data that is not necessary to perform that contract.
Furthermore, where consent is given “in the context of a written declaration which also concerns other matters, the request for consent must be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language”.
The GDPR also provides that data subjects have a right to withdraw consent at any time.
It is still best practice for employers to seek employee consent under the employment contract, but employers should be cautious about relying solely on consent to justify processing employees’ personal data. Employers may justify the processing of employees’ personal data based on the employer’s “legitimate interests” – but thought would need to be given to this.
Data Access Requests
The GDPR reduces the time-limit for complying with a data access request from 40 days to one month. Under the GDPR, employees will be able to make subject access requests free of charge.
Data Protection Officers
Article 35 requires Data Protection Officers (“DPOs”) to be appointed by all public authorities, except courts acting in their judicial authority, and by entities involved in regular monitoring or large scale processing of sensitive data.
Their main roles are to:
- advise data controllers/processors of their legal obligations;
- monitor compliance with the GDPR and with data policies and related training; and
- be a point of contact for the regulator.
DPOs must be independent and may be employees, contractors or consultants.
Data Protection Impact Assessment
Employers must carry out Data Protection Impact Assessments where the processing is likely to place individual rights at high risk. GDPR contains a non-exhaustive list of instances which would require an assessment, including when sensitive personal data is being processed on a large scale or when the data controller is monitoring publicly accessible areas.
If an employee’s actions result in a data breach, there is a mandatory obligation to notify the supervisory authority without delay, within 72 hours if possible. Where the breach poses a high risk to the privacy rights, affected data subjects must be notified without delay.
The GDPR will have a significant impact on employers. Breaches can result in penalties of up to €20,000,000 or 4% of annual worldwide turnover for the previous year, whichever is greater. It is important not to underestimate the deadline for complying with the Act.
- Think about how to best recruit, train and resource a DPO.
- Put in place clear data policies and procedures, particularly in relation to data breaches, in order to ensure timely notification.
- Review clauses regarding ‘consent’ in employment contracts.
- Ensure that there is a legitimate basis for the retention of data stored, and for the transfer of any data, eg in relation to HR.
- Ensure privacy notices and policies are easy for employees to understand.