Data Protection: What does the new Data Protection Regulation Hold in Store for Employers?

Organisations need to start preparing for the EU General Data Protection Regulation (GDPR) which will establish a common set of data protection rules across the EU. Whilst the core concepts and general approach are not changing, the GDPR:

• Requires greater focus on the legal basis for processing personal data;
• Requires employers to provide more extensive information and policies;
• Extends the rights of data subjects; and 
• Imposes greater penalties for non-compliance.

Consent

Consent will remain a legitimate basis for processing personal data but will be more difficult to obtain. The GDPR requires that consent must be freely given, specific, informed and unambiguous. Consent obtained in the employment contract is unlikely to comply with these requirements. Employers wishing to use the employment contract to obtain consent will need to include a separate signature box.

Employers may wish to consider other grounds justifying the processing of personal data, for example that it is necessary for the performance of the employment contract or that it is in the legitimate interests of the employer or a third party.

Information 

Information provided to job applicants and employees about the purposes for which personal data is processed will have to be concise, transparent, easily accessible and written in plain English. Employers will additionally be required to provide information on the legal basis for processing personal data. Where relying on the legitimate interests of the employer or a third party, the employee must be told what the employer's or third party's legitimate interests are. Employers will also need to explain matters such as:

• the source of the data (unless it originates from the data subject);
• who will receive personal data;
• how long the data will be stored for;
• their employees’ data subject rights including subject access, rectification and erasure;
• the right to withdraw consent, if relying on consent as a legal basis for processing;
• the right to complain to the regulator; and
• the legal basis for any transfer of the data to a non-EU third country.

Subject access requests

Employers will have to comply with data subject access requests without unreasonable delay or within a month (instead of the current 40 days), with a two month extension, if necessary, taking account of the complexity of the request. The £10 fee will be abolished but where a request is “manifestly unfounded or excessive” the employer may charge a reasonable fee, taking into account administrative costs.

Other rights of data subjects 

Employees will have a number of rights which they can exercise where there has been non-compliance with the data protection principles including the right to erasure (to be forgotten), to rectification and to restrict and object to processing.

Demonstrating compliance 

Instead of submitting an annual registration to the Information Commissioner’s Office (ICO), organisations will have increased responsibilities to maintain detailed records demonstrating compliance. 

Data Processors

The GDPR tightens the rules on the use of data processors (such as payroll providers) and extends the formal contractual requirements needed between data controllers and processors. The processor may only process personal data if it has documented instructions from the data controller. Data processors will have to ensure data security and demonstrate compliance to the data controller and permit inspection and audit.

Currently, only data controllers have liability to data subjects for compliance but under the revised rules data processors will have a potential liability if they fail to comply.

Data protection officers

Some employers will be required to appoint a data protection officer (DPO) and others may choose to do so. Public authorities and public bodies and those employers whose core activities involve systematic monitoring or large scale processing of sensitive personal data will have to appoint a DPO. The DPO will be responsible for advising data controllers/processors of their legal obligations, for monitoring compliance and will act as a point of contact for the ICO.

Data security breaches

Employers will have to report personal data breaches (i.e. any breach of security leading to the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of personal data) to the ICO without undue delay and within 72 hours of becoming aware of it, if feasible. If notification is made later it will have to be accompanied by a “reasoned justification”. 

Fines

Potential fines for data protection breaches will increase significantly. The ICO will be able to impose fines on a two-tier basis: 

• up to 2% of annual worldwide turnover of the preceding financial year or EUR10 million (whichever is the greater) for certain breaches, including those relating to internal record keeping, data processor contracts and data protection officers; and
• up to 4% of annual worldwide turnover of the preceding financial year or EUR20 million (whichever is the greater) for violations relating to breaches of the data protection principles, conditions for consent, data subjects rights and international data transfers.

What should employers be doing now? 

Although the new laws do not come into effect until 2018 there are steps which employers can take now to prepare themselves for the new regime. The Information Commissioner has published guidance setting out 12 steps employers can take now to prepare for the GDPR. Click here to see the guidance.