The EU recently finalised its new regime for data protection. With a two-year run-in period, the General Data Protection Regulation (GDPR) will apply from 25 May 2018.
The GDPR aims to introduce a ‘one-stop shop’, with a common set of rules applying across the EU. Although the European Commission claims that this will save businesses €2.3bn per year, its assessment has been challenged, with the Brussels European Employee Relations Group, for example, predicting not a saving, but an annual cost of €3.3bn. Whatever the overall figure, within the employment arena, savings are unlikely, as member states will have power to impose more specific national rules.
The rules are backed up by tougher penalties for data protection breaches. The maximum penalty will be €20m or four per cent of worldwide turnover – whichever is higher. Although not every mistake will lead to a penalty, the potential exposure will lead to most organisations putting greater focus on compliance.
The GDPR will affect any area in which personal data is processed, but it is in relation to employment that businesses are likely to process most data. So what are the implications for employers?
Information on data
Employers are currently required to provide information on the purposes for which data is processed. The GDPR extends this. Employers will need to specify the legal basis for processing. In an employment context, much processing relies on the employer’s “legitimate interests”. One example is processing personal data in connection with appraisals, where the employer has a legitimate business interest in ensuring that employees who perform well are recognised, and others are perhaps given support. These interests will need to be spelt out. Employees will also be entitled to information on how long data will be kept and on legal rights such as the subject access right.
Consent is commonly used as a legal basis for processing, normally through the contract of employment. The new rules tighten this. Consent must be informed and freely given with a genuine choice. Employees can withdraw consent at any time.
Data subjects’ rights
The rules on data subject access will change. The fee (£10 in the UK) will be abolished. The time for compliance (currently 40 days in the UK) will be reduced to one month, though this may be extended if a request is complex. If a request is clearly excessive, the employer may either charge or refuse to carry it out, a change that should lead to constructive discussion.
Data subjects will have other rights: to erasure (the right to be forgotten), and rights to rectify, restrict and object to processing.
Employees make mistakes – they leave laptops on trains, send emails to the wrong person and are careless with passwords. Under the new rules, employers discovering a data breach must notify the regulator and keep records.
Rather than simply complying with the law, as they are required to do now, employers will have to demonstrate compliance. To be able to do so, employers are likely to develop policies and, if challenged, produce evidence showing both that they had policies in place and had complied with them.
Data protection officers (DPOs) will have to be appointed if an organisation’s core activities involve systematic monitoring or large-scale processing of sensitive data and in the public sector. A DPO may be an employee or consultant – but must be independent.
If the UK votes to leave the EU on 23 June, the GDPR will not apply directly. However, if data is transferred to the UK from within the EU, the UK will have to meet EU standards of protection. UK businesses offering goods or services within the EU will also have to comply with the GDPR. So while there may be some room for flexibility as to the details, Brexit will not make much difference.
Although the new rules will not apply until 2018, employers would be well advised to take the following steps now:
Training staff who process personal data – the entire workforce in many organisations – will also be vital both to avoid problems in the first place and, if problems do arise, to mitigate potential penalties.
First Floor Offices, 11-23 Market St.
Tel: 01427 678660
HR and Accounts:
26/26a Hickman Street
Tel: 01427 678660
West 1, West Dock Street
Hull HU3 4HH
Tel: 01482 534 348
Hyde Park House, Cartwright Street
Newton, Hyde, Cheshire SK14 4EH
Tel: 0161 367 1214
2450 Regents Court The Crescent
Birmingham Business Park Solihull B37 7YE
Tel: 0121 69 59 290
4th Floor, 86-90 Paul Street
London EC2A 4NE
Tel: 0207 111 0958
Copyright © 2017 Stallard Kane Associates. All rights reserved.