After a four-year gestation period, political agreement has finally been reached on the new EU legal regime for data protection. An “agreed in principle” text of the proposed General Data Protection Regulation has been published. The text is likely to be modified for linguistic and consistency reasons, but the rights, obligations and potential penalties have been determined. The law should be formally adopted around Easter 2016 with an implementation date in 2018. In brief, the Regulation aims to introduce a “one-stop shop”, with a common set of rules applying across the EU.
What are the general points of interest?
There are complex provisions to ensure joined-up regulation across Europe. Within a group operating in different EU states, the lead data protection regulator will not necessarily be the local regulator but will be determined by the location of the group’s “main establishment”.
The European Commission has claimed that the one-stop shop will save businesses €2.3bn per year, a figure that is challenged by commentators. Either way, significant savings are unlikely to arise in the employment arena. Member states have a carve-out from the one-stop shop in relation to employment – they will have power to impose more specific rules, so organisations operating cross-border may need to check local laws.
The rules are backed up by a much fiercer penalty regime. The maximum penalty for non-compliance is €20m or 4% of an undertaking’s worldwide turnover if that is higher. This is likely to lead most organisations to put greater focus on compliance. In the UK, the Information Commissioner has a reputation for a pragmatic and proportionate approach to enforcement. Under the new regime, the lead regulator may be in a different member state and – particularly where cross-border issues arise – may be responsible for determining penalties.
The law bites on any area in which a business processes data on individuals (e.g. customers, suppliers, users of a website). But it is in relation to employees that businesses are likely to process most data, both in relation to its range and quantity. So what are the implications for employers?
Information on data
Employers are currently required to provide information on the purposes for which data is processed, together with any further information needed to ensure processing is fair.
The new rules impose obligations on the quality of the information (concise, transparent, easily accessible and in plain language) and on the information itself. Employees will need to be given information on: how long data will be kept; rights of subject access and other data subject rights; the right to withdraw consent to processing (if the legal basis is consent); and the employer’s “legitimate interests” (if that is the legal basis for processing). Most employment-related processing is based on the employer’s legitimate interests and thought will be needed to identify those interests.
Although discouraged by the UK Information Commissioner, consent is commonly used as a legal basis for processing – normally through the contract of employment. The new rules tighten this. Consent must be freely given, informed and unambiguous and there must be a genuine choice.
If obtaining employment is conditional on consent, it will not be freely given. If consent is given through a document concerning other matters (e.g. other obligations under a contract of employment), it must be clearly separated from those other matters. The employee will have a right to withdraw consent at any time – it must be as easy to do so as to give consent.
Data subjects’ rights
The rules on data subject access will change. The GBP 10 fee in the UK will be abolished. The basic time limit for compliance will be reduced from 40 days to one month, although this may be extended to a maximum of two further months when necessary on account of the complexity of the request. If requests are manifestly excessive, the employer can either charge a reasonable fee or may refuse to act on the request. The employer must be able to demonstrate why the request is excessive.
These changes are likely to be helpful to employers facing requests for large amounts of data. The dynamics of handling requests will change, driving the possibility of constructive negotiation over the information to be provided.
Other rights include the “right to be forgotten” – i.e. the right to erasure, which is permitted where data are no longer necessary in relation to the purposes for which they were collected or have been unlawfully processed. The right is trumped where retention is necessary for handling legal claims. But large quantities of personal data held in an employment context are not strictly necessary (e.g. emails or records that have been superseded or no longer have a purpose).This may offer aggrieved employees leverage in disputes.
As data controller, the employer will have duties to comply with data protection principles. In addition it must be able to demonstrate compliance. This is a potentially onerous obligation as it puts the burden of proving compliance on the employer, even if it is otherwise complying with the principles. Employers must take appropriate measures to achieve this, which may include setting up and implementing data protection policies.
When implementing new systems, employers will be expected to achieve “data protection by design”. Subject to what is technically practicable and cost, they will need to build in safeguards to comply with the rules. Measures must be taken to minimise data collected, ensuring it is necessary for the specific purpose.
Previously data controllers have had primary liability for compliance. Under the new rules, data processors will have a duty to comply and potential liability if they fail. It is likely that making arrangements with processors will become more onerous, with considerably more thought given to what specifically the processor is expected to do. This may well be driven by the processors, who will want clarity on their responsibilities.
Employees make mistakes – they leave laptops on trains, send emails to the wrong person and are careless with passwords. Under the new rules, employers discovering a data breach must notify the regulator within 72 hours, if feasible, unless the breach is unlikely to result in a risk to data subjects. If there is a high risk to a data subject, he or she must be told. Records must be kept of all data breaches and action taken.
What should employers do now?
The new rules will not apply until 2018. Although there is no specific or pressing need to take action now, the rules have wide-ranging implications going well beyond the employment context. Forward planning and preparation will be necessary. Many of the steps to be taken are good practice under the current rules and getting things right now is likely to be the best strategy. There is no particular reason to delay.
At a high level, organisations seeking to be compliant need to embrace a culture of taking data protection responsibilities seriously. The possibility of penalties of €20m or more may well focus minds at board level.
Steps required may include:
- Identify data systems and the personal data that you process. Consider setting up an information asset register. Understand the legal basis for processing the data.
- Ensure you have the resources to prepare for change. Identify who takes overall responsibility. Consider appointing a data protection officer.
- Review privacy notices and other fair-processing information given to employees (and job applicants). Consider what additional information will need to be included – e.g. what “legitimate interests” underpin your processing? How long you will keep data?
- Assess in what contexts you rely on consent to justify processing. Consider relying on other routes.
- Review contracts of employment to see whether and how they deal with data protection (and in particular, whether you currently seek “consent” contractually).
- Establish a policy with a timeline for handling data breaches. Obtain a full picture of exposure to potential data breaches by ensuring that breaches and loss are reported to whoever is responsible.
- Train staff on data protection responsibilities and how they are affected in their job.
This article provides a brief summary of a complex piece of legislation. There are many further aspects which will apply in certain contexts. These include rules on transfers outside the EU, data protection officers and a duty to carry out a data protection impact assessment.