Data protection news

4 July 2016

The General Data Protection Regulation (GDPR) is a unified legal framework for all European Union members. You probably wonder whether if will affect the UK because of Brexit. It is still likely to do so because it will affect all members of the European Union as well as European Economic Area (the Norway option) but also because it would be very difficult for any British business and public sector to manage any data within Europe if it was non compliant with the new legislation. We are therefore safer to assume that we will need to comply. So what are the main changes in comparison with the current regime? 

  • Tougher penalties - maximum 20m Euros or 4% of world turnover - whichever is greater. This would obviously apply to the most horrendous abuses/mistakes with data but it may nonetheless toughen the whole approach to any non-compliance.
  • At the moment organisations need to provide information on a purpose, for which they process data. This will be extended to an obligation to specify a legal basis for processing as well. For employment context, the main purpose is expected to be the employer's "legitimate interest". Employees will also need to be kept informed of how long data will be kept and told explicitly about their rights, e.g. subject access.
  • Consent to process data in employment contract is now sufficient to process but it soon won't be. Consents will need to be informed and freely given, with an option to withdraw at any point.
  • There will be some changes for data subject rights too. The £10 fee will be abolished, the compliance deadline will be a month (a decrease from 40 days) although it will be more flexible to extend, if a request is complex. Where requests are clearly excessive, employers will be able to refuse complying although a constructive discussion will be required.
  • Where a breach of data occurs, employers will be obliged to inform the regulator.
  • Employers will have to actively demonstrate compliance with the law and produce, upon request, a policy and a proof of complying with it.
  • Organisations that systematically monitor data or process it on large scale will also have to appoint a data protection officer. This could be either an employee or a consultant.
Two years may seem like a lot of time but a scale of preparations for compliance is such that it would be prudent for employers to start doing it now. Below are a few actions to start with:

  • Identification of data systems, personal data and what it's used for;
  • Considering the legal basis for processing the data to establish the "legitimate interests";
  • Identifying the person to take overall responsibility for data control and considering whether an appointment of a data protection officer will be necessary;
  • Reviewing all documentation, including more detailed privacy notices and records of processing activities;
  • Designing a policy including how data breaches will be handled;
  • Figuring out how data will be protected when systems are developed;
  • Training plan for all staff who handle data, with good recording system in place (to evidence).
Data protection is a legal area on its own, although it has clear implications on employment law and practice. EVH is happy to guide members where it encroaches on people management but legal specialist advice may be required for more complex issues.