The implementation of the long-awaited European Union (”EU”) General Data Protection Regulation (“GDPR” or the “Regulation”) is now clearly on the horizon.
In this bulletin, we summarise some of the consequences of the GDPR for organisations and set out how employers and human resource (“HR”) professionals can ensure compliance. It is essential that employers and HR professionals plan ahead, as the GDPR will affect many parts of their organisation, from candidate records to employee details, all of which are covered by the new rules.
The GDPR replaces the Data Protection Directive 95/46/EC (the “Directive”) and was designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens’ data privacy rights and to reshape the way employers across the region approach data privacy.
The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from 1995, when the Directive was established. Although the key principles of data privacy have been retained in the GDPR, many changes have been proposed to the regulatory policies.
The GDPR takes effect and is enforceable from the 25 May 2018, at which point employers in non-compliance may be liable to penalties. As the GDPR is a Regulation, and not a Directive, it will have direct effect and need only limited transposition into national law. The Irish Acts (the Data Protection Act 1988 and the Data Protection (Amendment) Act 2003) will, however, require replacement.
One of the biggest changes to data protection law will be the extended scope of the GDPR, above and beyond existing data-protection legislation. The GDPR will apply to data controllers and processors utilising information relating data subjects within the EU, regardless of the controllers’ and processors’ locations. A ‘data controller’ can be individuals, or legal persons such as companies, a public authority, agency or employer that, alone or jointly with others, determine the purposes and means of processing of personal data on a digital or structured manual files. A ‘data processor’ can be a company, employer or individual who holds or processes personal data, but does not exercise responsibility for or control over the personal data. A ‘data subject’ can be the candidates or employee to whom the data relates.
The structure and concepts in the GDPR will be familiar to many employers who have an understanding of the existing data protection legislation, however, employers will need to be familiar with certain key changes. The most important of these is the restriction on the use of consent in the context of the employment relationship. From an employment law perspective, it seems that the onus will be on the employer to show that the employee has consented to their data being processed, that there is a legitimate interest in processing the data or a legal requirement to do so.
Candidate and Employee Rights
The GDPR will give candidates and employees greater control over how their personal data is used, which will require a change in practice on behalf of most organisations. GDPR will require employers and HR professionals to state the legal basis for processing data, retention periods, the data subject’s right of complaint, and provide information about individual rights under the GDPR.
The conditions for consent to data being shared have been strengthened, requiring employers and HR professionals to use clear, legible and intelligible language in their engagements with candidates and employees. The GDPR requires that information provided should be in clear and plain language to ensure transparency and ease of access therefore employers must ensure privacy notices and policies are checked and considered against the rights of candidates and employees.
Many employers rely on employees’ implied consent to process their personal data and consent or data protection clauses are often included in the employment contract. However, under the GDPR, for consents to be valid, it must be freely-given, specific, informed and revocable. The GDPR states that, given the imbalance of power between employer and employee, employees can only give free consent in exceptional circumstances.
Consent is only one of a number of potential legal bases for processing employee data. Alternative legal bases include processing being necessary for the performance of the employment contract, required by law or in the employer’s legitimate interests which outweigh the general privacy rights of employees.
Candidates and employees will have a right under the GDPR to obtain information from employers about whether their personal data is being processed and, if so, where and for what purpose.
The GDPR gives candidates and employees the right to access personal data, to exercise that right easily and at reasonable intervals, so as to be aware of and verify the lawfulness of the processing. Under GDPR, candidates and employees will have the right to be informed of the existence of the rights to request rectification, erasure or restriction of processing, to object to processing and to complain to the relevant data protection supervisory authority.
Given the seriousness of non-compliance, employers and HR professionals should ensure have their organisations have the right procedures in place to detect, report and investigate a personal data breach.
Under the GDPR, breach notification will become mandatory in all Member States where a data breach is likely to ‘result in a risk for the rights and freedoms of individuals’. The Data Protection Authority must be notified within seventy-two hours of the controller or processor first having become aware of the breach, and if this timeframe is not met, reasoned justification must be provided. Similarly, affected individuals must be notified without undue delay.
The GDPR gives data protection authorities more robust powers to tackle non-compliance, including significant administrative fining capabilities of up to €20,000,000 (or 4% of total annual global turnover, whichever is greater) for the most serious infringements. The GDPR also makes it considerably easier for candidates, employees and former-employees to bring private claims against employers when their data privacy has been infringed. The GDPR will also afford candidates and employees, who have suffered non-material damage, to bring a claim for compensation, as a result of an infringement.
Owing to the breadth of the Regulation, employers are advised to conduct a review of their existing data protection procedures, to allow sufficient time and resources to affect the necessary changes required to ensure GDPR compliance.
The new and expanded rights under the GDPR hugely increase the potential for data protection to be used as a weapon in the context of employment disputes.
To ensure compliance, employers should first identify what aspects of the business GDPR most applies to, consult with senior personnel and identify key risk areas and where gaps may exist from an early stage.
Key considerations when conducting a review as to your status pre-implementation is to identify what personal data is held within your business on candidates or employees, where it is located, the purpose for holding such data, where it is transferred to and from, to include third party and cross border considerations. This includes ensuring a legitimate basis for cross-border data transfers of personal data to jurisdictions that are not recognised as having adequate data protection regulation. Consideration must be given to how data is secured when it is being held and transferred. In addition, timeframes must be understood and managed to comply with how long such data can be held within your organisation.
Employers should put in place clear policies and well-practiced procedures to ensure that they can react quickly to any data breach and notify in time where required. This requires embracing privacy by design, which calls for the inclusion of data protection from the onset of the designing systems, rather than an addition.
As GDPR requires employers to be able to demonstrate and document how they comply with the Regulation, establishing a framework for accountability from the outset is key to successful implementation. Requirements apply to all workers including agency workers and contractors. A framework for accountability should include the appointment of a Data Protection Officer (“DPO”) and training staff to understand their obligations under GDPR.
In future briefings, Aperture Partners will focus on other practical impacts of the GDPR on the employment relationship and what employers and HR professionals can do to manage these risks, and prepare for implementation.