This article has been submitted by NewLaw Solicitors
It is now just over three months until the provisions of the General Data Protection Regulation will be directly applicable in all EU member states (25 May 2018) and for those of you paying attention that still (subject any radical failure/success of Brexit negotiations) includes the UK.
Regardless, this fact will likely yield a plethora of differing responses. Some will give an indifferent shrug and say that is a problem for early June, some will scream “didn’t we vote to leave Europe and all its evil red-tapery?” and others will have that sense of dread and nausea that you would normally associate with watching a Transformers movie. While each of these responses represent the more extreme viewpoint all employers need to be aware of the directive, the requirements it will place upon them and the steps they need to take to comply.
The GDPR was four years in the making and aims to harmonise data protection laws across the EU as well as update and replace the now 20 year old provisions. Such provisions having been drafted while Mark Zuckerberg was ten, Ant and Dec still hung out in Biker Grove and comedy cat videos could only be seen on Jeremy Beadle’s “you’ve been framed”. While it’s clear that the directive and the Data Protection Act which followed gave consideration to the advent of the internet age, they could not have predicted the extent to which it would permeate our daily lives and the knock on effect that has on our privacy and personal data.
Given the above, the need for an update should be obvious and while arguably the GDPR for the most part codifies best practice it does demand a shift in perspective making organisations take a proactive approach to the collection, use and retention of data. Compliance is meant to be by design or default, as such proper systems and methods of accountability will be crucial to employers avoiding increased penalties.
By way of summation the GDPR will apply to the processing of personal data either through automated or other means (where it is or is intended to be part of a filing system) and introduces:
A new standard for consent (freely given, specific, informed and unambiguous indication)
While blanket data processing consents in contracts of employment have long been viewed as a less than ideal solution they are still utilised by many employers. Post GDPR it may be difficult for an employer to argue consent is freely given where the individual’s very employment may be dependent on the contract being accepted. Further, under the new provisions consent can be withdrawn at any time and employers will need to consider how they inform employees of that right and implement it in practice.
Employers may not be able to rely on consent obtained prior to 25 may 2018 and going forward will need to justify processing employee data on that basis. Before that point employers should assess their current contracts and consider whether processing may be justified under a different ground. Here it may be easier to show processing is necessary; for the performance of the employment contract or for the purposes of the employer’s legitimate interests.
Changes to the information provided to employees/prospective employees
As it stands employers, at the point information is first collected, should provide employees / prospective employees with a notice detailing why information is needed and how it will be processed this is often contained within a Privacy or Fair Processing Notice. Under the GDPR this requirement will continue however the notice itself will need to include significantly more information.
While keeping the notice concise, transparent and easily accessible employers will need to give information about how and for how long the data will be stored, likely recipients as well as information on the right to make a subject access request and to have data deleted or rectified. Here employers should be reviewing current privacy notices in advance of 25th May 2018.
New reporting requirements
The GDPR will bring with it, for better or worse, mandatory breach reporting. Meaning if there is a data breach, be it accident or unlawful action, the employer will have to notify the regulator without undue delay and where feasible within 72 hours of becoming aware of the breach. In making the report the employer must explain what happened, detail the potential numbers affected, likely consequences and any response measures taken.
Extended data subject rights
The GDPR will also introduce an enhanced right to “erasure”. Sadly this had little to do with late 80’s / early 90’s synthpop and more to do with the right to be forgotten, to require an employer to delete any personal data they may hold when it is no longer necessary to hold it or where the employee withdraws consent and there is no other ground to justify continued processing.
Where a subject access request (SAR) has been made employers will no longer be able to impose a £10 administration fee rather the information must be provided without charge unless the request itself is manifestly unfounded or excessive. Further, where employers previously had 40 days to respond to the request they will now have to deal any SAR without undue delay and within one month.
Substantive fines for non-compliance (up to 4% of annual worldwide turnover or €20 million – whichever is greater) mean that employers must sit up and take notice of the GDPR. So while I can understand the desire to put it on the back burner (believe me the rules do not make for an exciting read) unfortunately much like the Transformers franchise; ignoring it isn’t going to make it go away.
If you are worried about the impact of GDPR on your business, then we at NewLaw solicitors can help, offering a range of training and documentation services. Feel free to contact Damian Burns, one of our Senior Employment Solicitors, for more details: 0333 3217140, [email protected]