The EU Parliament has recently voted in favour of the new EU data protection regulation, bringing to a close the formal approval process between the Commission, Parliament and Council of the most significant change to data protection laws in nearly 20 years. (See previous briefing from December 2015 concerning initial agreement in principle)
The General Data Protection Regulation (GDPR) will replace the Data Protection Directive 1995 from 2018. Once the translation process is complete (likely in two-three months’ time), it will be published in the EU Official Journal, and come into force 2 years and 20 days after that.
The fact that GDPR is a regulation, not a revised Directive, is itself significant since it will be directly applicable in Member States without additional national legislation. It has taken a long time to get to this point, reflective of the degree of change GDPR will bring about and its likely impact. Employers might be forgiven for thinking that a 2 year run-in period from now is a long one and they can afford to postpone taking any preparatory steps. However, the scope of change for employers cannot be underestimated: institutions would be well-advised to start preparing for them now.
Some key issues for employers
A stronger framework
- More prescriptive: The GDPR is a much more prescriptive and expansive set of obligations, which will bring with it greater restrictions on staff data-processing overall, less flexibility for employers when it comes to risk-based decisions on compliance and higher potential liability for non-compliance. Ironically, an increasing part of employer controls is in fact to protect data and staff.
- Unified approach: In its favour, is the potential for GDPR to allow a more unified approach to data protection, which will benefit particularly those organisations with EU-wide presence or dealings. This is what the GDPR aims to achieve but it remains to be seen whether it will do so in practice as the GDPR also permits Member States to enact additional controls to protect employee data (a provision retained because some Member States felt the GDPR could otherwise weaken some specific protections they already had in place). If many take this option, the benefits for international employers of uniformity and consistent approach could be weakened;
- Data protection officers: The appointment of data protection officers, whilst thankfully not mandatory for some organisations under GDPR, could prove more prevalent given that such appointments will be necessary for organisations involved in processing of personal data as part of their core activities which involve regular or systematic monitoring or processing on a large scale of sensitive personal data (eg related to health, racial or ethnic origin) and persnal data relating to criminal convictions and offences.
- Limits on consent: Employer ability to rely on employee consent for processing will be restricted significantly by a requirement of more in-depth data protection notices, detailing the scope of the consent, but also a more restricted interpretation of consent itself to prevent undue influence;
- Tighter controls on records: GDPR sets much tighter standards upon the nature of data employers can retain and for how long. Record retention periods will need to be identified;
- Processing without consent: the circumstances in which GDPR allows employers to rely on “legitimate” interest to override individual consent is much more constrained – not least by a requirement that any such alleged interests must be spelt out in a more detailed privacy notice in advance. It will no longer be acceptable to retrospectively apply liberal interpretation of broad phrases in this context, with the advantage of hindsight.
Wider territorial scope
The GDPR extends the current territorial reach of EU data protection law. For example, many organisations outside of the EEA will be subject to it where they monitor EU data subjects.
The GDPR provides new and increased caps on the level of fines that Supervisory Authorities (national bodies with responsibility for over-seeing data protection compliance, such as the UK Information Commissioner) are permitted to impose against both data controllers and now also data processors that have breached relevant provisions. Depending on the breach, such maximum fines can be up to 2% or 4% of an ‘undertaking’s’ total worldwide annual turnover in the previous year.
For the first time, the GDPR also places specific obligations on data processors. As a result Supervisory Authorities will be able to take enforcement action and issue fines (up to 2% for processors as described above), where a processor does not abide by these new statutory obligations. This and other requirements mean that many services and other data sharing agreements will need to be reviewed and potentially amended.
As indicated above, the extent of the likely impact of the GDPR for institutions should not be underestimated. To provide just a few examples of typical employment situations which are likely to be affected significantly, employers can expect:
- Subject Access Requests to become even more frequent but also more difficult to administer, as the ability to charge a fee is removed, the timescales for responses become more rigid and some of the exemptions commonly relied upon currently disappear (unless Member States introduce national laws to reduce these effects to the limited extent permitted under GDPR).
- Handling of sensitive personal data to be more difficult –especially data relating to criminal records. In the latter case, lawful reasons for processing largely disappear under GDPR (unless, again, national laws are implemented to permit this). Such restrictions clearly have potentially significant impact for employers when it comes to staff background checks and investigations.
- Record keeping will increase significantly, to capture the data undertaken, any steps taken to ensure compliance with GDPR (such as privacy impact assessments and audits) and instances of non-compliance e.g. data security breaches (whether reportable or not). Whilst some organisations may implement some of this record keeping practice now (such as through privacy impact assessments) this has largely been as a matter of best practice. GDPR codifies a lot of this practice, moving away from risk based assessment of what is required for data privacy governance. This is a significant shift in the burden of proof of compliance for employers.
This is but a small selection of some of the considerations for institutions. We will be following up with more detailed briefings in the coming months.
While the GDPR will not be implemented for at least two years (current expectation is by mid 2018), some employers may need to make substantial changes to their current practices, protocols and general culture in relation to privacy. Such sweeping changes will need time to implement.
As a first step, employers should familiarise themselves with the GDPR and the obligations that apply to them, prioritising areas that represent the greatest risk and undertaking a gap analysis of their compliance position.
Key issues for employers to consider include who will take responsibility, adapting policies and practices to accommodate the changes to handling staff data, what position to take with regard to liability and relevant contract terms with controllers or processors and understanding the risks and opportunities involved.
The EU parliament press release can be viewed here.