EU General Data Protection Regulation – The impact on employers

What’s it all about?

The existing law on data protection within the EU is based on a European directive introduced over 20 years ago. There is no uniform approach to data protection across the EU and significant advances in technology means the current law is out of touch with the modern world.

As part of its proposals for reform the European Commission suggested there be a common set of rules aimed at modernising and harmonising data protection law within the EU; the EU General Data Protection Regulation (the “Regulation”).

Regulations become part of the law of member states as soon as they come into force which assists with uniformity. However, the Regulation allows member states to make its own more specific rules in certain areas, including employment. So, whilst everyone will start on the same page, we may still see a difference of approach across the EU in such areas.

When will employers be expected to comply with the Regulation?

The Regulation wording was adopted last month and will come into force on the 20^th day after its publication in the Official Journal of the European Union. Employers will then be given a two year period within which time they must comply.

What are the key implications for employers?

The Regulation will bring about a number of changes affecting employers. Here’s a small taster…

Consent will be more difficult to obtain

It will be more difficult for employers to rely on ‘consent’ as a justification for data processing. For example, consent must be “freely given, specific, informed and unambiguous” and the Regulation makes clear that consent will not be “freely given” if an individual has no genuine choice and is unable to refuse/withdraw consent without detriment.

Clauses in employment contracts that purport to give consent are therefore unlikely to be effective as the employee has little ‘choice’ over their terms at the start of their employment. Employers who obtain consent this way will need to put alternative measures in place.

Direct obligations and liability for data processors

The Regulation changes the existing law to impose obligations and liability on third parties who process data on an employer’s behalf such as external payroll providers.

In 2012, an NHS Trust was fined a massive £325,000 when the company it had engaged to destroy hard drives failed to do so (and instead sold them on e-bay!) Were this to happen under the Regulation, the third party contractor could also face liability.

Parties should ensure that, going forward, their commercial contracts contain adequate clauses dealing with apportionment of liability and indemnities. Further, employers who process data on behalf of other organisations may find themselves liable as ‘data processors’ and will want to ensure that their duties are clearly defined in any contractual agreement.

Data Access Requests

The Regulation makes a number of changes relating to data access requests. The two most significant for employers are changes to the timeframe for compliance and an ability to refuse to comply with ‘manifestly unfounded or excessive’ requests.

The Regulation removes the 40 day compliance timeframe. Instead, employers are required to comply ‘without undue delay’ and within one month but have an option to extend this by a further two months “taking into account the complexity of the request and number of requests”. Requests to employers are typically complex and so are likely to attract the three month timeframe. This will be welcomed by employers who have long argued that the current timeframe is unrealistic in modern technology-dependant workplaces.

Employers will no longer be able to charge £10 to deal with a request, however, they may refuse to comply altogether (or charge a reasonable fee based on admin costs) where the request is manifestly unfounded or excessive. This will surely see an end to employers spending days wading through thousands of emails! However, the Information Commissioner’s Office (ICO), which regulates data protection in the UK, has always emphasised the importance of an individual’s right of access and, as such, it seems likely that it will expect employers to discuss such requests with individuals in an attempt to narrow these down as opposed to refusing to comply entirely.

Increased penalty for non-compliance

The Regulation will increase the maximum monetary penalty which can be awarded for non-compliance to EUR20 million or 4% of the organisations’ annual worldwide turnover (whichever is higher).

Whilst the risk of a significant penalty may well move the issue of data protection further up an employer’s list of priorities, in practice, it is unlikely to lead to higher penalties being imposed in the UK. The ICO has a reputation for adopting a pragmatic approach. Despite having the ability to award up to £500,000 since 2010, the largest penalty it has issued was for £350,000 against Prodial Ltd earlier this year in relation to 46 million nuisance calls.

However, under the Regulation the member state where the company’s main establishment is based will take the lead on enforcement regardless of where the breach takes place.

Right to be forgotten

Individuals will have increased rights under the Regulation which will include the right to request that their personal data be erased (referred to as the ‘right to be forgotten’). This topic has received a lot of attention recently – see our blog in August on the right to be forgotten being enforced against Google.

In conclusion…

In light of the two year transition period (and the impending EU referendum) employers may not be in a rush to comply with the Regulation, however, there are many changes being proposed which will affect employers and it would be prudent for those who process large amounts of personal data to familiarise themselves with the Regulation sooner rather than later. At the very least all businesses, which have not already done so, should now take steps to identify the type of personal data they currently process and the legal basis on which they rely to process this. This will be a good starting point for risk assessments further down the line…