The European Parliament has approved the General Data Protection Regulation, a comprehensive data protection reform package which was four years in the making. It will come into force in all member states on 25 May 2018.
What are the key features of the new regime?
Harmonisation of data protection law: the Regulation creates a common set of rules which will apply across the EU;
Potential for much tougher penalties: maximum fines of 20 million Euros or 4% of worldwide turnover, whichever is higher (the maximum penalty in the UK at the moment is £500,000);
Greater emphasis on giving individuals control of their data;
Higher standards for effective consent to data processing:
Contracts which ask for consent to process personal data must clearly distinguish between terms relating to personal data and other matters (for example, a separate signature box must be used for providing data processing consent);
- Individuals will have the right to withdraw consent at any time and must be able to do so easily;
- Consent will not be effective if there is no genuine choice as to whether or not to do so;
- New measures to increase accountability for data controllers, for example the requirement for a data protection policy and new record keeping obligations;
- Additional data security requirements, including an obligation to impose contractual conditions on other businesses which will process personal data for the organisation (e.g. cloud services, payroll companies);
- A requirement to notify data protection authorities of a data breach within 72 hours, and if the risk to individuals is high they must be notified as well;
- An obligation for public authorities and public bodies to appoint an independent data protection officer (this may be an employee), who will have a role similar to that of an auditor.
What does it mean for employers?
Many employers rely on employee consent to process personal data obtained as a standard term of the employment contract. When the new regime comes into force this approach is unlikely to be effective, as consent required under an employment contract will not be regarded as freely given.
Employers will therefore need to consider what other grounds may justify processing employee data (for example, that it is necessary for the purposes of the legitimate interests of the employer, or the performance of the employment contract).
Under the new regime, employers will need to provide a detailed 'privacy notice' to employees and job applicants setting out information about how their personal data will be processed.
These notices must be clear and easy to understand, and must specify the legal basis on which the employer will process the data.
Subject access requests
Because of the greater emphasis on individual control of personal data and the potential for more significant fines, personal data rights may well assume greater significance in the employment relationship in general, and in particular in the context of employment disputes.
Employers are already used to receiving subject access requests from employees, and the Regulation also expands upon individuals' rights to require that data processors delete, correct or restrict the processing of their personal data. In responding to a subject access request, employers will need to tell employees how long they expect to store their personal data and give details of their right to require personal data to be erased etc, as well as the safeguards applied to personal data transferred to another country.
Employers will lose the right to charge a standard fee of up to £10 for any subject access request. However (some good news at last!), they will be entitled under the new regime to charge a reasonable fee where a request is manifestly unfounded or excessive. This may discourage onerous requests from employees, and at the very least will facilitate a discussion with the employee as to how an extensive request will be handled, on the basis that if the work involved is very substantial the employee may be required to cover some or all of the employer's costs.
Will the UK need to pass domestic legislation to implement the Regulation?
Unlike Directives, European Regulations do not need to be implemented by the governments of member states to become law. The Regulation will be effective in all member states when it comes into force in 2018.
However, member states have been given power to pass domestic legislation in a few areas – including employment, to put in place 'more specific rules to ensure the protection of... rights and freedoms in respect of the processing of employees' personal data'. This means that employers which operate in more than one member state will have to be careful to check local requirements (rather undermining the stated aim of an EU-wide 'one stop shop' for data protection).
What if Brexit happens?
No one really knows what the implications would be for data protection if the UK were to for Brexit next month. The general consensus, however, is that employers should assume that data protection law in the UK will continue to move in the same direction as that in the rest of Europe, unless and until Parliament tells us otherwise.
What should employers be doing now?
Before the new regime comes into force in two years' time, employers should:
- Review systems for processing personal data with a view to identifying what changes will need to be made;
- Put someone in charge of implementing these changes, providing them with appropriate resources;
- Review employment contracts and policies and recruitment documentation;
- Put in place policies on storing and processing personal data and dealing with data breaches, if these do not already exist;
- Decide what consent should be sought from employees and job applicants and when, and consider the employer's position if such consent should not prove effective; and
- Train key staff on the new data protection regime.