In the first of a series of articles on the EU's new data protection regulation, we look at the implications for UK employers and what they need to do to prepare for the changes ahead. The burden is higher and the stakes are greater than ever before.
Can I just ignore it given that Brexit is coming?
No: The General Data Protection Regulation (GDPR) is an EU Regulation which means, unlike a Directive, it will be directly incorporated into the UK legal system without the need for UK implementing legislation before Brexit happens. If the UK wishes to trade with the EU at all post Brexit, whether as part of the single market or otherwise, it will need to demonstrate an 'adequate' level of data protection therefore it is likely that the UK will continue to implement these regulations post-Brexit. The government has already embraced the GDPR as part of its Digital Strategy.
It doesn't apply until May 2018, plenty time surely?
It may seem far off however, as there is such a lot of work to be done, preparations should already be underway. There will be changes required to policies, procedures and IT systems. Staff who process data will need to be trained on the new requirements. Information notices are likely to require to be amended.
What will change?
The basic principle of data processing will remain the same, that is, data cannot be processed unless one of a number of conditions is met. Typical justifications under the Data Protection Act (DPA) are: consent, processing is necessary to perform a contract or to comply with legal obligations, or processing is necessary in pursuit of the legitimate interests of the data controller. There are a number of important changes to DPA concepts and a number of new concepts. Public authorities will no longer be able to rely on legitimate interests as a basis for processing. Anyone else relying on legitimate interests must keep a record of the assessment made, balancing the organisation's needs with the individual's rights.
Transparency: The GDPR requires more extensive information to be given to individuals about the processing of their personal data. This includes the purpose of the processing, the legal basis for processing, legitimate interests relied on and the period for which the data will be retained. The individual must be told he has a right to access and port data, to rectify, erase and restrict his personal data, to object to processing and to withdraw consent and to complain to the ICO.
Consent: It is important to note, from an employer's perspective, the following statement which appears in the recitals: 'in order to ensure that consent is freely given, consent is not a valid ground for processing where there is a clear imbalance between the individual and the controller'. This means it will be very hard for employers to rely on consent as a condition of processing. A general consent to processing clause in the employment contract, as is currently common, will not be sufficient (if it ever was). Prior to giving consent, the employee must be informed he has the right to withdraw his consent at any time. It must be as easy to withdraw consent as to give it. When processing has multiple purposes, consent should be given for each of them. The request for consent should not be buried in another document, it must be clearly presented. Consent should not be a condition of performance.
Accountability: Employers must be able to demonstrate their compliance with GDPR principles, including by adopting certain 'data protection by design' measures such as policies, audits, protective measures and record keeping. High risk processing will require a detailed privacy impact assessment. Where high risk processing is proposed there is a requirement to obtain the view of the ICO as to the adequacy of the measures the employer proposes to take to mitigate the risk. Employers may decide to (in some cases must) appoint a Data Protection Officer.
Data breach: Organisations will be required to report personal data breaches to the ICO (and in some cases, the data subjects) as well as maintain a breach register.
Data subject access rights: These are enhanced and will include a right to be forgotten ('erasure'), to request data be 'ported' in machine readable form and to object to processing for specific purposes. On receipt of a subject access request the data processor will be required to confirm whether it processes data about the individual, provide a copy of the data and explanatory materials in electronic form, including, if applicable, why it intends not to comply, without undue delay and at the latest within one month (although there is provision for an extension in complex cases). There is no right to require a £10 processing fee before complying.
Profiling: There will be strict regulation of data which is automatically processed and which is used to evaluate individuals, such as their performance at work or location.
Processing principles: These are similar: fairness, lawfulness, transparency, purpose limitation, storage limitation, data minimisation, data quality, security, integrity and confidentiality. Accountability, the requirement to be able to demonstrate compliance, is a new concept.
The penalties for breach: Depending on the type of breach, a fine of up to 20,000,000(EUR) or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is greater. This is significantly higher than the maximum under the DPA of £500,000 for serious breaches. In addition there may be liability to the individual in damages for loss caused.
What should I be doing to prepare my organisation?
These changes affect all of the data your organisation processes about individuals, not just employees. You will need to start at the highest level in your organisation as this is a governance matter. The new regime requires employers to implement a wide range of measures to reduce the risk of breach and to show that it takes data governance seriously. Make key people aware of the changes and plan to ensure your organisation has the appropriate governance, budget and resources in place.
Begin with an audit and record what information your organisation holds, what it holds it for, what justification for processing is relied on, who it shares it with, how long it is kept etc. Privacy notices will require to be amended to take account of the additional information required. Identify the instances of processing where you rely on consent. Employers will need to review existing consent mechanisms to ensure they are offering a genuine and 'granular' choice. Can you still rely on consent? If not look for an alternative lawful basis for that instance of processing such as necessary for the performance of the employment contract, for compliance with a legal obligation or for the pursuit of legitimate interests.
Employers should ensure they document and are able to demonstrate compliance in accordance with the new accountability principle. Make sure your policies and procedures are revised and that relevant staff are trained to deal with subject access requests, data erasure requests, objections to processing etc. Devise a process for identifying, recording and notifying breaches. Ensure contracts with third parties require them to notify you of breaches.
Where can I get help?
The Information Commissioner's Office (ICO) is publishing practical guidance to support organisations to prepare for the change.
We will be publishing a series of articles looking at the impact of the changes on organisations as employer and providing practical tips on how to prepare, how to deal with new concepts and what documents employers may need to review.