From 25 May 2018, just over 8 months away, employers will be obliged to comply with the General Data Protection Regulation (the “GDPR”). With hefty sanctions at the ready for those who breach the requirements of the Regulation, employers should ensure that the new rules are taken seriously.
As well as ensuring that their practices are compliant with the GDPR, employers will also have a positive obligation to evidence that compliance. This means that employers must more actively demonstrate their compliance, beyond simply referring to a set of relevant policies. Examples of proactive measures might include staff training, implementing appropriate organisational/technical processes, maintaining an audit system and conducting regular spot checks to ensure compliance on an ongoing basis.
The GDPR will introduce a higher threshold for obtaining an employee’s valid consent to process his/her personal data. The new law provides that this consent must be “freely given, specific, informed and unambiguous” and take the form of a clear affirmative action. This means that the typical forms of consent found in many employment contracts will no longer be sufficient. In any event, there are doubts as to whether an employee’s consent could ever be regarded as “freely given” because of the power imbalance which can exist between employer and employee.
Employers may therefore wish to instead rely on a different basis for processing employee data such as where the processing is necessary for the performance of the employment contract itself, compliance with certain legal obligations or for the purposes of the employer's legitimate interests.
Where employee consent is to be relied upon, it should be obtained by way of a separate document rather than a data protection clause within the employment contract. In these circumstances, employers are advised to keep clear records documenting the consent itself and how it was obtained.
Importantly, an employee’s consent may also be withdrawn at any time and employers should inform employees of this right.
2. Data Protection Officer (“DPO”)
Public bodies and organisations which (i) regularly or systematically monitor data subjects on a large scale (e.g. where employers use CCTV systems to record and store data, operating telephone systems which may collect recordings, certain marketing activities which involve the collection of large amounts of personal data etc.); or (ii) process a large amount of sensitive personal data, will be obliged to appoint a DPO.
For all other organisations, this step is voluntary. However, as employers generally may benefit from appointing a DPO to ensure ongoing compliance with the GDPR, this is something which should be considered.
3. Enhanced Rights for Data Subjects
Right to be Forgotten and Right to Data Portability
The GDPR provides that in certain circumstances, employees will be afforded an explicit right to have their personal data removed/erased i.e. the right to be forgotten.
The new concept of “data portability” envisages allowing employees to easily move, copy or transfer their personal data from one environment to another.
In light of these rights, when reviewing procedures in the context of preparation for the GDPR, employers should review the capability of their systems in terms of how easy it will be for (a) an employee to collect/transfer his/her data to another environment; and (b) for an employer to locate and delete data when requested to do so by an employee.
Fair Processing Information
The GDPR extends the information which must be given to employees regarding how their personal data is processed by their employer. The current law provides that such information should include the identity of the employer and the purpose for which the data is being processed. The GDPR goes further to require that employees should also be informed of the details of any transfers of their data outside of the EU (if applicable), their right to make a subject access request, their right to rectify and/or delete their personal data and how long their data will be stored.
Subject Access Requests
The GDPR now provides that documentation/information provided further to an employee’s subject access request must generally be provided free of charge and within a period of 1 month (currently 40 days). In certain circumstances, taking into account the complexity of the request, a moderate fee may be charged by the employer and the time limit extended to a maximum of 2 months.
4. Reports to Regulator
Where there is a data breach, an employer will have to report the breach to the Office of the Data Protection Commissioner (the “ODPC”) within 72 hours, unless the data was anonymised or encrypted. In reality, this will mean that most data breaches must be reported to the ODPC. A breach which is likely to result in a “high risk to the rights and freedoms of individuals” will also trigger an obligation to notify those employees concerned directly.
An employer should have a policy in place which sets out clearly what amounts to a data breach and when/how breaches will be reported to the ODPC.
5. Increased Penalties
The GDPR will introduce a two-tier system in respect of sanctions; minor administrative breaches may attract a penalty of up to €10m or 2% of annual worldwide turnover, and more fundamental breaches can attract a higher fine of €20m or 4% of annual worldwide turnover. The GDPR sets out a number of factors that may be taken into account by the ODPC before setting a fine.
Given the increased sanctions which will be introduced by the GDPR, it is more important than ever for employers to ensure that they are compliant with both existing data protection legislation and the GDPR. As the GDPR will become effective in just over 8 months, time is of the essence. Preparatory steps ahead of May 2018 might include the following:
- Conduct an audit. Employers should review all personal data currently held (to include that of employees, clients/customers, suppliers etc.) to ascertain why/how it was obtained, why it continues to be held and for how long it will be held, how secure it is and whether it is ever shared with third parties and on what basis etc. This will enable employers to obtain a clearer picture on their current situation so as to plan for the future.
- Review security procedures and existing policies/procedures or create new policies/procedures (where required) to ensure compliance. It will be essential to have in place a comprehensive data protection policy. Policies governing CCTV, social media and IT should also be considered.
- Keep up-to-date as to developments leading up to May 2018. Although its Regulation status means that the GDPR will become directly applicable in Ireland in 2018 (i.e. without the need for implementing legislation), new Irish legislation is expected which will provide further guidance regarding the GDPR. The ODPC has helpfully produced guidance on its website for organisations in relation to the GDPR which employers should take time to review and become familiar with.
- Consider whether there is a need to appoint a DPO and/or a working group, internally or externally, who will be responsible for implementing the GDPR and ensuring compliance. Employers should also spread awareness of the imminence and impact of the GDPR within their businesses and consider providing training to staff.
- Consent. Employers should consider whether it is still appropriate to rely on employee consent, or whether they should rely on another legal basis for the valid processing of employee data.