Employers guide on the amended data protection laws
Employers guide on the amended data protection laws
The European Parliament has agreed to replace the current EU Data Protection Directive with a new General Data Protection Regulation (GDPR).
The GDPR will apply directly to public and private data controllers in EU Member States when it comes into force in 2018. This will mean that the Data Protection Act 1998 (DPA) will require amending. The Information Commissioners Office (ICO) will continue to be the UK’s regulatory authority. The GDPR introduces a statutory requirement for a data protection policy.
The main differences between the GDPR and the Directive from an employment perspective relate to: consent; criminal records; data subject access requests; technology; data protection officers and data breaches.
Consent
Under the Directive consent must be ‘freely given, specific and informed’ but such words are not included in the DPA. It has long been held by the ICO and the Article 29 Working Party that including an express provision regarding consent to process data in an employment contract as a condition of employment is not “freely given consent”. This has been expanded upon in the GDPR where consent must be ‘freely given, specific, informed and explicit. This is qualified in that the language relating to consent must be ‘clearly distinguishable’ and that consent can be withdrawn.
Therefore, silence, pre-ticked boxes or inactivity will not constitute consent.
The GDPR is clear that controllers must be able to demonstrate that consent was given and employers should review their systems to ensure they have an effective audit trail.
The corollary is that under GDPR, individuals that have consented to the processing of their data, will have a stronger right to have their data deleted.
Criminal records
Under the DPA, sensitive personal data goes further than required by the Directive and includes the commission or alleged commission of an offence. The GDPR includes a specific prohibition on the processing of criminal convictions unless permitted by member state law. The UK will need to enact secondary legislation to permit employers to undertake criminal record checks.
Data subject access requests
This is the “bane of the lives” of many in HR and normally surfaces as part of a grievance process or employment tribunal claim. The rules for dealing with data subject access requests (DSAR) will change under the GDPR:
- in most cases employees will no longer have to pay a fee for making a DSAR;
- the deadline for compliance will be one month (rather than 40 days), which can be extendable by a further two months;
- if a request is “manifestly excessive” then an employer can charge a reasonable fee or refuse to comply. If an employer wants to refuse a request, it will need to have policies and procedures in place to demonstrate why the request meets these criteria; and
- additional information will need to be provided as part of DSAR (such as, data retention periods and the right to have inaccurate data corrected).
Technology
The GDPR set limits on the use of “profiling” relating to generated computerised data analysis on an individual’s performance at work, economic situation, location, health, preferences, reliability or behaviour based on the automated processing of his/her personal data. Under the GDPR, profiling would, as a general rule:
- only be allowed with the consent of the individual concerned, permitted by law or when needed to pursue a contract; and
- cannot be based solely on automated processing and should comprise human assessment.
Data protection officers
Under the GDPR public authorities and employers that control large data sets for their core business must designate a Data Protection Officer (DPO). A DPO can either be an internal or an external person. The DPO must take proper responsibility for data protection compliance and has the knowledge, support and authority to do so effectively.
Employers should assess whether its current approach to data protection compliance will meet the GDPR’s requirements.
Data breaches
Some employers are already required to notify the ICO (and other bodies) when they suffer a personal data breach. The GDPR will extend this obligation to all employers. Not all breaches will have to be notified to the ICO. Only breaches that are likely to cause an individual to suffer some form of damage (such as, identity theft or a confidentiality breach) need to be reported. If HR data is lost or hacked into and there is a risk to individuals then an employer must notify the ICO within 72 hours and, potentially, also notify employees.
Note that a failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.
Breach of the GDPR can result in fines of €20m or, if higher, up to 4% worldwide turnover.
Conclusion
Employers should make sure that decision makers and key people in their organisation are aware that the law relating to data protection will change under the GDPR. They need to appreciate the impact this is likely to have and identify areas that could cause compliance problems under the GDPR.
General Data Protection Regulation (GDPR) Training Packages
IBB’s data protection and GDPR lawyers can keep your business or organisation on the right side of the GDPR obligations. If you would like advice on the new regulations, GDPR training packages or any of our other services please call 03456 381381 or email corporate@ibblaw.co.uk.