The most significant regulatory change of the last few decades in EU data protection law is drawing nearer: the General Data Protection Regulation, known as the 'GDPR', becomes applicable in May 2018. The GDPR sets out harmonised core principles and rules on data protection across all EU Member States, therefore requiring them to review national data protection laws, amending or repealing those that overlap with the GDPR.
In Finland, the work for reviewing national legislation took a significant step forward in the run up to Midsummer when a Working Group set up by the Finnish Ministry of Justice gave a memorandum of proposed amendments to general data protection laws. When it comes to special laws concerning privacy in employment, more information about the proposed changes is expected in late 2017. While Finland currently has strict laws which aim to ensure privacy in employment and it is not expected that any significant amendments to these rules are necessary for the GDPR, Member States are allowed to introduce additional data protection rules, through derogations, on a range of areas including employment practices.
In addition to these derogations, the GDPR itself is directly applicable to processing personal data of employees. In practice, this means that all employers must be able to comply with the rules set in the GDPR in addition to those set out in national law. For example, each employer must prepare for the GDPR by updating current information to employees, such as privacy policies, and by reviewing contracts concerning outsourced payroll and accounting functions. As the GDPR is based on the so-called risk-based approach, employers are also expected to recognise areas that might be especially risky to employees' privacy, with video camera surveillance and the monitoring of the location of employees at the top of the list. Employers must then focus on minimising those risks with technical and organisational measures.
In conclusion, while the full picture of legislation concerning privacy in employment is still unclear in most Member States, it is highly recommendable that all employers start to prepare for the GDPR as early as possible given the potential organisational, technical and administrative impact of the new rules on many organisations in all business sectors.