The new General Data Protection Regulation has been published in final form. It will apply directly to UK companies from 25 May 2018. It has wide ranging implications. All UK employers will need to make changes to their approach to data protection in order to comply.
The purpose of the new General Data Protection Regulation (GDPR) is to harmonise data protection laws across the EU and to modernise the law on data protection to take account of the new ways in which we use, share and communicate information about individuals.
Key areas of change
The GDPR builds on the current law, but tightens up obligations, adds new requirements, gives more control to individuals and increases sanctions. It will have a significant effect on your HR processes and policies and on your employee records. Here is a summary of some of the key areas of change for employers:
- Not only will you have to comply with your legal obligations under the GDPR, but you will need to be able to demonstrate how you have done so. This will involve documenting and recording how you comply on an ongoing basis.
- You will have to be more transparent about what you do with the information you hold about individuals. You will need to redraft privacy notices, which are required to be clear, accessible and concise. You will also need to include new information, such as how long you keep categories of data and what rights individuals have in relation to their data.
- You will need to be more precise from the outset about the legal basis for using information in particular ways. For example, most processing of employee information is currently permitted because it is in your legitimate interests to do so. This remains the case, but you will need to specify in privacy notices what that legitimate interest is before you carry out the processing.
- You will be required to carry out impact assessments more often, and in particular before using information about individuals that present a high risk to them
- The rules on subject access requests are changing. Time frames are altering, individuals will need to be given more information about how you process their information and what their rights are. You will be able to refuse to provide information where it is ‘manifestly excessive’, though it is not yet clear the circumstances in which this exemption may apply.
- In addition, individuals will have the right to ask you to ‘delete it, freeze it, correct it’ if you are not complying with the law in respect of the information about them that you process.
- It is already difficult to rely on consent in the employment context for processing information, and the new law makes it more so.
- You will need to embed data protection safeguards and take steps to minimise data collection when you are introducing new processes, for example before introducing a new HR data management system or a new recruitment process. Do you really need to collect or use all the information? How does the design protect individuals’ rights in relation to their data?
- There will be less room for arguing that particular information about an individual is outside the definition of personal data (and therefore that the law on data protection does not apply to it). In particular, you will no longer be able to avoid data protection obligations by anonymising it (the GDPR calls this ‘pseudonymising’), though doing so may still be a good way to reduce the risks of harm to an individual.
- The territorial scope of the law is increasing: the new law will apply to organisations in the EU irrespective of where the actual data processing takes place.
- You will need to report breaches of the law to the individual concerned where the risk is a high one and to the ICO (within 72 hours) unless the breach is unlikely to result in a risk to the individual. Potentially, you will need to report a manager’s lost laptop to the ICO, unless the personal data on it is encrypted. We await ICO guidance on what this will mean in practice.
- Data controllers will have to oversee data processors (for example, a payroll provider is a data processor) more closely and enter into more detailed contractual arrangements with them. Data processors will be liable for breaches in their own right.
- Crucially, the sanctions for breach are increasing to a maximum fine of up to 1 million euros or 2% of annual worldwide turnover, on top of which the ICO will have less scope to take a pragmatic approach to enforcement.
What do you need to do now?
Complying properly with the current law is a first step towards preparing for the new regime. The closer you are to ‘good practice’ as opposed to having a risk based approach to minimum compliance, the closer you will be to compliance with the GDPR. Compliance with the new law will involve far more active engagement with your obligations, as well as compliance with new obligations. This will inevitably involve you ‘smartening up your act’ in relation to employee records, HR processes and policies.
Find out more
Early preparation is essential. To find out what the new law means for you, and how to prepare for it, we are running a series of national seminars: The new data protection law: impact on HR processes and employee records in November 2016.
Employment is one of the few areas where the UK Government is entitled to set some of its own rules in order to protect the rights and freedoms of individuals. We do not yet know what stance the UK government will take in respect of this. We will keep you informed of developments as and when the Government makes decisions about its approach. The European Data Protection Board will also be producing essential guidance, as will the Information Commissioner during the next two years.