What do we already know?
Since 1998 when the Data Protection Act (DPA) was first introduced, organisations have been required to put systems in place to ensure the protection of personal data. The DPA was implemented as a consequence of EU law, namely the EU Data Protection Directive.
The European Parliament has this month voted in favour of a new General Data Protection Regulation (GDPR), which will replace the current EU Data Protection Directive and national data protection legislation. The new legislation will apply directly to organisations in the EU without the need for implementation via national laws.
This is an important change and the GDPR aims to form a new, more prescriptive, data protection landscape in Europe with a unified, consistent approach. There will be stricter requirements and higher fines, greater restrictions on staff data-processing overall and less flexibility for employers when it comes to compliance.
In order to help you to understand and prepare for this important reform we set out FAQ’s below:
Who will the GDPR apply to?
All organisations in the EU, both public and private, which collect and keep data about people i.e. ‘data controllers’.
In addition, it will apply to organisations based outside the EU where their processing activities relate to the offering of goods and services to individuals in the EU or to the monitoring of EU individuals’ behaviour.
This means that the GDPR will apply virtually to all businesses serving or targeting individuals in the EU market. This is wider in scope than current data protection laws.
What date to we need to comply by?
Organisations are likely to need to comply by Spring/Summer 2018.
The exact timing depends on when the GDPR is published in the Official Journal of the EU – expected in the next couple of weeks. There is then a two-year transition period from date of publication before the GDPR becomes effective.
What are the main changes?
The most important changes for UK employers, with a focus on those most likely to comprise HR responsibilities, include:
- Increase in information to provide to employees when obtaining personal data: Under the existing law, employers are required to provide job applicants and employees with a privacy notice (sometimes called “fair processing information”) setting out the purposes for which data is processed, together with any further information needed to ensure processing is fair.
Under the GDPR, all information provided must be concise, transparent, easily accessible and given in plain language. In addition to the information provided under the current rules, employers must provide information on the legal basis for processing. This will involve a careful analysis of the data processed and the available legal bases. If data is sensitive, an employer will need to specify which of the conditions for processing sensitive data it is relying on, in addition to providing details of the general basis for processing that data.
- Grounds for processing employee data tighter: Employers will need to carefully consider the basis on which they process employee data. Grounds which have been historically relied on, such as consent or the employer having a legitimate interest in the data processing, will be harder to comply with:
- Use of consent: Employers’ ability to rely on employee consent for processing will be restricted significantly. The GDPR requires more in-depth data protection notices, detailing the scope of the consent, but also a more restricted interpretation of consent itself to prevent undue influence. A request for consent must be presented in a manner which is specific, clearly distinguishable from the other matters, in an intelligible and easily accessible form and using clear and plain language. Even if consent is obtained this way, such consent maybe withdrawn at any time. This is very likely to have implications for employers seeking consent to data processing at the same time as a contract of employment is signed.
- Legitimate interest: An employer’s reliance on having a legitimate interest in the data processing will be subject to challenge due to a new right for employees to object to processing on this ground. This challenge cannot be overridden unless the employer has compelling legitimate grounds for the processing. In addition any such alleged interests must be spelt out in a more detailed privacy notice in advance. It will no longer be acceptable to retrospectively label the processing as in the employer’s legitimate interest.
- Data subject access requests will be easier for employees: It is likely that such requests will become even more frequent and more difficult to administer. This is because employees will be able to make data subject access requests without restriction and without payment of a fee, unless the requests are manifestly unfounded or excessive. Employers must respond without ‘undue delay’ and no later than one month (subject to a two month extension for complex/multiple requests). Some of the exemptions commonly relied upon currently will disappear (unless Member States introduce national laws to reduce these effects to the limited extent permitted under GDPR). At present under the GDPR there are no exemptions (even on the grounds of legal privilege) which an employer can rely on to avoid provision of the employee’s personal data.
- Routine criminal records/DBS checks may not be allowed: Employers may have to review any policy of routinely conducting standard (i.e. not enhanced) criminal records checks. This is because lawful reasons for processing largely disappear under GDPR unless national laws are implemented to permit this.
- Employee rights to delete or correct their personal data: Employers must promptly delete an employee’s data if one of a number of grounds apply, including that the data is no longer necessary for the purpose for which it was collected. Where data is alleged to be inaccurate, employers will also have onerous responsibilities to check and correct the data and will be restricted as to how it is used in the meantime.
- Employers must notify any data protection breaches within 72 hours: A data protection breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of personal data. Employees make mistakes; they leave laptops on trains, send emails to the wrong person and are careless with passwords. These are all personal data breaches.
Employers will have to notify the relevant national data protection authority (in the UK, the Information Commissioner’s Office (ICO)) within 72 hours of becoming aware of a data protection breach, unless they can provide a reasoned justification for the delay. However, the notification requirement does not apply if the breach is unlikely to result in a risk to data subjects (e.g. because all data on a laptop was encrypted). If the breach is likely to result in a high risk for the individuals’ rights and freedoms, data controllers will also have the obligation to notify individuals of the breach without undue delay.
- Employers must be audit ready: Employers are expected to set up systems in a way which ensures compliance by design and default – restricting the data, use and access. The responsibility is on employers to prove compliance and they must keep records and have policies in place to demonstrate that.
- Increased penalties: Supervisory authorities, such as the ICO in the UK, will be able to impose increased financial penalties against organisations which breach relevant provisions of the GDPR. Depending on the breach, such maximum fines can be up to 2% or 4% of an organisation’s total worldwide annual turnover in the previous year. This is compared to the current maximum penalty in the UK of £500,000. Although this does not necessarily mean higher penalties in practice, this change is likely to lead to a greater focus on compliance.
- Appointment of a Data Protection Officer (DPO) may be required: It will be mandatory to appoint a DPO if the organisation’s core activities involve systematic monitoring or large-scale processing of sensitive data (for example, health data or criminal records) or if it is a public body. Although employers hold sensitive data, particularly in relation to health, it is unlikely that processing will be sufficiently large-scale for appointment of a DPO to be mandatory. The DPO is expected to be an expert in data protection law and will have significant responsibilities in ensuring compliance with the GDPR.
- Data protection by design and by default: Employers will be expected to take steps to build data protection into system design. Subject to what is technically practicable and cost, they will need to build in safeguards to comply with the rules. Measures must be taken to minimise data collected, ensuring it is necessary for the specific purpose for which it was obtained.
Therefore, where an employer is contemplating a new HR system, it would be advisable to consider to what extent data protection can be built into the design.
- Controls on records: GDPR sets tighter standards in respect of the data employers can retain and for how long. Record retention periods will need to be identified;
What should we do now?
The revised rules will not apply until the summer of 2018. Although a good way off yet, the new rules have wide-ranging implications and early forward planning and preparation is advised.
The Information Commissioner’s Office (ICO) has published helpful and user-friendly 12-step checklist, available here, for organisations on preparing for the GDPR. We recommend watching the ICO website for any further guidance on how to prepare for the changes.
We also set out our own practical preparation steps below:
- Familiarise yourselves with the requirements of the GDPR and identify and risk-assess the relevant obligations for your organisation;
- Identify key staff to manage the change and allocate responsibilities. Consider appointing a DPO and whether, in fact, this is mandatory;
- Identify all existing data systems and the personal data processed. Understand the legal basis for processing the data and identify what will need to change to comply with the revised regime;
- Identify other systems, policies and practices which will be affected by the changes and consider necessary amendments. For example:
- Privacy notices and other fair-processing information given to employees (and job applicants): consider what additional information will need to be included. E.g. what “legitimate interests” underpin processing? How long will data be stored?
- Contracts of employment, handbooks and policies:
- Contracts: review both your current contracts and your contract template for new starters. Such review should include considering whether, and if so how, you are seeking, obtaining and recording consent and whether you need to make any changes. Consider relying on other routes such as the “legitimate interests” ground or that ‘processing is necessary for performance of the employment contract’. Note that any alleged legitimate interests must be spelt out in a more detailed privacy notice in advance.
- Data Protection Policy: review in light of the proposed changes made by the GDPR and amend your existing Data Protection Policy, or prepare a new policy, for handling data breaches. Ensure that breaches and loss are reported promptly to the relevant member/s of staff and that there is a risk-assessment process in place to decide whether to escalate to the ICO within the 72 hour time-frame in order to avoid penalties;
- Train relevant staff on data protection responsibilities and how they are affected in their job; and
- Amend or develop and implement a policy on retention and storage of data, including emails.
Please note that this is a brief summary of a complex piece of legislation. There are many further aspects which will apply in certain contexts. These include rules on transfers outside the EU and a duty to carry out data protection impact assessments.
Given the complexity and extent of these changes there will, no doubt, be further information and more detailed guidance to come. So watch this space….