EU data protection: what’s changed?
On 14 April 2016, the European Parliament voted formally to approve a new General Data Protection Regulation (GDPR). The GDPR will replace the current Data Protection Directive. Its formal approval by the European Parliament marks the conclusion of the legislative process and many years of work between the various bodies of the EU.
The premise behind the GDPR is to overhaul EU data protection rules to ensure that they are fit for purpose in a “digitised world of smartphones, social media, internet banking and global transfers”. While many of the GDPR’s requirements are substantially similar to those found in the UK’s Data Protection Act 1998 (DPA 1998) there are some significant differences. For example:
Consent: Many data protection restrictions are set aside or relaxed where an individual consents to the data processing. The DPA 1998 is silent on what consent actually means, and the current Directive says only that consent must be “freely given, specific and informed”.
By contrast, an effective consent under the GDPR must be “freely given, informed, specific and explicit”. In addition, where consent is purportedly given “in the context of a written declaration which also concerns other matters, the request for consent must be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language”.
In line with common practice it is likely to remain possible to include consent provisions within employment contracts, but how far that consent can be used to process the data for anything other than routine HR matters remains contentious.
Subject access requests: The subject access request regime will also change. Instead of having 40 days under the DPA 1998 to respond to a request, and being able to charge £10, employers will have to comply with a subject access request within one month and without any fee.
Data Protection Officers: Some employers will need to appoint a Data Protection Officer. For example, public authorities, organisations whose activities involve the “regular and systematic monitoring of data subjects on a large scale” or those processing special categories of personal data on a large scale will be caught by this requirement. The Data Protection Officer will be akin to an internal regulator, independent from management and hard to remove from office absent misconduct.
Why replace a Directive with a Regulation?
While this may be a bit of a technical point, it is worth noting that because the GDPR is a “Regulation” rather than a “Directive”, it is directly enforceable in the UK without the need for the UK government to legislate independently. In other words, there will be no need for the UK to introduce a “new” Data Protection Act - the provisions of the GDPR will, subject to our comments below, simply apply (and the DPA 1998 will be repealed).
What about a Brexit?
The GDPR will enter into force 20 days after its publication in the EU Official Journal, and its provisions will be applicable two years after this date. Summer 2018 is therefore the likely point at which organisations will be required to comply. This long lead in time brings the referendum on the UK’s membership of the EU into focus.
Both the UK government and the Information Commissioner’s Office (ICO) have been fairly critical of some of the more prescriptive and onerous aspects of the GDPR. It is possible, therefore, that in the event of a Brexit the government may take the opportunity to retain the DPA 1998, or adopt a revised version of the GDPR, or even (though perhaps less likely) bring in a wholly new data protection regime.
What steps to take now
Due to these uncertainties, coupled with a 2018 date for compliance, many organisations may be tempted to “wait and see”. The lure of that approach is obvious, although the ICO has sounded a note of caution about this, fearing that organisations will lose valuable time for preparation and compliance.
Instead, the ICO advocates beginning work now, and to that end it has issued helpful guidance setting out a framework of "12 steps to take now". Organisations with complex data processing arrangements, for example those which routinely move data out of the EEA or which might be required to have a DPO would be well-advised to begin preparations early.
The first step for all businesses is understand what you data have, where it is and what you do with it. This is true for employee data, but also for all the other types of data every business routinely collects and processes. Once you have that information, compliance with the GDPR becomes much easier. Without that information, compliance is broadly impossible.