The Information Commissioner’s Office (ICO) has published an Overview of the European General Data Protection Regulation (GDPR) for organisations. The changes anticipated by GDPR are wide-ranging and require a cross-organisational compliance framework that will take time to assess and implement effectively. Organisations which process data within the UK should start their planning now if they have not already done so.
The result of the 23 June 2016 referendum on membership of the EU means that the Government will ultimately need to consider the effect on the GDPR. However, Brexit should have little, if any, impact on GDPR compliance planning. The GDPR will come into force in the UK without the need for implementing legislation in May 2018, at which time it seems likely that the UK will still be a member of the EU (as exit negotiations are likely to take at least 2 years and have not yet been triggered).
Following the UK’s eventual exit, if the terms of the UK’s withdrawal from the EU result in the UK remaining in the EEA, it is likely that the UK would be required to comply with the GDPR. Even if the UK is outside the EEA, the practical reality is likely to be that substantial compliance with GDPR principles will be required in any event. In order for data to continue to be transferred from other EU countries to the UK, the UK will have to be able to demonstrate that it provides adequate protection for the rights of employees whose personal data is transferred. Demonstrating such adequate protection would be likely to require the implementation of much of the GDPR in national law.
The ICO has also expressed the view that UK data protection legislation requires reform in any event, and it seems likely that they would press for UK law to conform to a large extent with the GDPR.
Key actions which organisations should put in place now include:
- Put in place effective governance – Organisations should have a strong governance function in place, capable of impacting on and involving all parts of the organisation. Cross department teams will be needed to ensure effective compliance with the GDPR including HR, IT, Legal and Data Protection or other compliance specialists. Make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR; they need to appreciate the impact this is likely to have including on employee data. The degree of change over the next couple of years is such that effective governance is going to be critical to implementing the changes effectively and in good time. There will need to be ongoing governance in place regarding data flows, privacy notices and documenting privacy impact assessments in a way that hasn’t been seen before.
- Audit data flows to be clear about the purposes and legal basis for processing – Increasing awareness of the rights of data subjects and the changes to the legal bases for processing are two very good reasons to do this. The GDPR will have a significant impact on how, and how much, employee data can be processed. Use of data (including big data) will impact on all aspects of the employment relationship from recruitment, to compensation and benefits, mobility of your workforce and structural change and growth. HR involvement will be key to ensuring (i) that organisations can continue to process employee data for the purposes which are critical to both day to day management and the achievement of strategic objectives and (ii) that organisations are not exposed to the risks of the substantial sanctions which may be imposed for misuse of employee data under the GDPR.
- Implement training within your organisation – Many data privacy breaches are caused by simple errors. By having effective and memorable training processes in place an employee is more likely to think about their actions and hence a breach is avoided. Effective training on good practice will be valuable whatever legislation is ultimately in place.