On 14 April 2016, the European Parliament voted to approve a new ‘General Data Protection Regulation (GDPR)’, a common set of data protection rules that will apply across the EU. The motive behind the change is to modernise EU data protection rules so that they are fit for purpose in a ‘digitised world of smartphones, social media, internet banking and global transfers’.
As this is an EU Regulation (as opposed to a Directive), it will be directly enforceable in the UK without the need for any domestic legislation implementing it. In other words, it will automatically apply in UK law and the current Data Protection Act 1998 will be repealed. However the questions on everyone’s mind is how is this Regulation different to the current data protection regime and what steps should employers take to accommodate these changes?
What are the key changes for employers?
Under the current regime, many data protection restrictions are relaxed when an individual consents to the data processing. For consent to be effective under the GDPR, it must be ‘freely given, informed, specific and explicit’. There is no longer a distinction between ordinary consent and explicit consent. Instead explicit consent must be obtained when processing personal and sensitive personal data. Furthermore, where consent is given through a document concerning other matters (e.g. other obligations under a contract of employment), it must be clearly separated from those other matters. If obtaining employment is conditional on consent, it will not be freely given.
Existing consents will still be valid, provided they meet the new conditions. Employees will also have a right to withdraw consent at any time – it must be as easy to do so as to give consent.
Personal and Sensitive Personal Data
The Regulations apply to all personal data from which a living individual is identified, or identifiable. The definition of ‘personal data’ has been widened. It now includes online identifiers and location data (e.g. IP addresses and mobile device ID’s).
The current concept of ‘sensitive personal data’ has also been retained and extended – it now covers ‘genetic’ and ‘biometric’ data (i.e. fingerprints, facial recognition, retinal scans etc). As with the current regime, processing of this type of data is subject to more stringent conditions than other forms of data, and cannot be processed without the explicit consent of the data subject.
Data Protection Officers
Some employers may need to appoint a Data Protection officer. These include:
- Public authorities; and
- Organisations whose activities involve the ‘regular and systematic monitoring of data subjects on a large scale’.
The Officer will need sufficient expert knowledge and may be employed or under a service contract. A group of undertakings may appoint a single Officer, as may certain groups of public authorities.
Subject access requests:
Under the new subject access request regime, there will be now be no fee for making requests (previously there was a £10 charge), and employers will have to respond within one month (previously 40 days). However if the request is excessive then the employer may charge a reasonable fee.
Under the new regime, employers that discover a data breach must notify the regulator within 72 hours, if feasible, unless the breach is unlikely to result in a risk to any data subjects. If no notification is made, a ‘reasoned justification’ must be given, explaining the delay.
Ex- Employee’s right to be forgotten
Employers must promptly delete an employee’s data if any of a number of grounds apply. This includes if the data is no longer necessary for the purpose for which it was collected. Employers must also take reasonable steps to inform third parties that the data subject has requested the erasure of any links to, or copies of, that data.
What steps should employers take now?
The new rules are expected to not come into force until 2018. It is worth noting that the UK government has been fairly critical of the new regime and therefore it will be interesting to see what will happen to it in the event of a Brexit. Nevertheless, prudent employers should consider the Regulations and the future changes they may need to make, as the rules have wide-ranging implications in the employment context. The Information Commissioner’s Office (ICO) has issued helpful guidance on ’12 steps to take now’ for employers. Other steps required may include the following:
- Familiarise yourselves with the GDPR and identify the relevant obligations for your organisation;
- Review contracts of employment to see whether and how they deal with data protection and, in particular, whether you seek “consent” contractually;
- Ensure you have the resources to prepare for the change. Consider the appointment of a data protection officer if necessary;
- Train staff on their data protection responsibilities
- Amend or implement a policy on retention and storage of data, including emails.
If you would like to discuss your organisation’s data protection requirements, or have any further questions, please feel free to contact a member of the Devonshires Employment Team.