The General Data Protection Regulation ("GDPR"), due to take effect on 25 May 2018, aims to harmonise data protection rules across the European Union ("EU") and marks a milestone in data protection laws in the EU. The GDPR places onerous obligations on organisations in relation to all personal data which they process. It is strongly advisable that employers begin to prepare now for the GDPR and we have highlighted five key points to use as a starting point.
- Data Protection Officers ("DPOs") The GDPR provides that a DPO should be appointed by organisations whose core activities involve the regular and systematic monitoring of data subjects on a large scale, as well as organisations whose core activities involve the processing on a large scale of special categories of personal data, including processing information relating to criminal convictions or offences. It will be mandatory for public authorities to appoint a DPO. There is also scope for Member States to propose instances where a DPO will be required and such appointment will be provided for in this jurisdiction by the Data Protection Bill 2017. Organisations can also appoint a DPO voluntarily. Employers are advised to conduct an analysis now to determine if they must appoint a DPO. As this could be costly, businesses should start to review their budgets accordingly.
- Consent The GDPR sets out an elevated threshold for obtaining consent. The test for consent has been radically overhauled under the GDPR and will be much more difficult to rely on. The onus rests with employers to prove that they have obtained consent validly. Consent must be freely given, specific, informed and unambiguous. The GDPR removes the possibility of “opt-out” consent by forbidding silence, inactivity, and pre-ticked boxes as a means of providing consent. Employers should be aware of this and consider phasing out reliance on consent as their legal basis for processing data. Consent must also be given separate to the contract of employment and it is advisable that employers start to review their existing contracts without delay to ensure that they meet the required standards. Once the GDPR takes effect, employers must make employees aware of their right to withdraw consent at any time. It is recommended that employers consider a different basis for processing data as opposed to consent, such as contractual necessity, statutory compliance or legitimate interests.
- Data Protection Impact Assessment (DPIA) Any business implementing new processes or technologies which involve processing that is likely to result in a high risk to the rights and freedoms of employees may need to carry out a DPIA. Under the GDPR, systematic and extensive evaluation of personal data (such as profiling), large scale processing of special categories of personal data or personal data relating to criminal convictions or offences, and large scale systematic monitoring of public areas will be regarded as processing that will likely result in a high risk.
- Enhanced Rights of Data Subjects The GDPR grants new rights and builds on existing rights of data subjects. The right to access, data portability, correction, erasure, objection and the restriction of processing of personal data are rights provided for under the GDPR. Employers should be aware that the time frame for responding to subject access requests will be reduced to one month and are advised to start adapting procedures to accommodate for this. It is recommended that employers review their current procedures and appoint a team who will be accountable for ensuring these rights are implemented.
- Penalties The GDPR provides for heavy sanctions to be imposed in the event of non-compliance and in particular heavy administrative fines may be imposed. Depending on the breach, a penalty of €10 million or 2% annual global turnover, whichever is greater, or €20 million or 4% of total annual global turnover, whichever is greater, may be imposed.
As the GDPR is bringing data protection to a new level and is ensuring vigorous compliance, It is advisable that employers implement policies to ensure compliance and avoid such penalties.
- Know what personal data is being held, the purpose for holding data, and how long data will be held.
- Appoint a working group, internally or externally, who will be responsible for implementing the GDPR.
- Revise and amend policies and procedures.
- If your organisation has not started your preparations, start now.