New EU General Data Protection Regulation: four steps employers must take right away

The new EU General Data Protection Regulation introduces fines of up to €20 million or 4% of global turnover. While the rules don't take effect until May 2018, they are complex so employers must start preparations now, suggest Andrew Yule and Nancy Dickie, partners at law firm Winckworth Sherwood.

More on data protection

Employment law manual > Personal data > Data protection

General Data Protection Regulation - XpertHR resource round-up

After protracted negotiations at EU level, the new EU General Data Protection Regulation (GDPR) was published in May this year. The regulation brings with it the risk of fines of up to €20 million or 4% of worldwide turnover, for data breaches - so it must be taken very seriously.

While not taking effect until May 2018, the GDPR is complex and seeks to introduce a cultural shift in how businesses manage personal data, including that of their employees. So employers would be prudent to start to prepare early.

Of course, it is impossible to ignore Brexit, and while the EU referendum result will undoubtedly have an impact in the field of data protection, in practice the UK will still have to adopt the GDPR or something close to it. The GDPR will apply to any business trading in the EU, regardless of where it is established.

What's more, as the UK's Information Commissioner's Office has highlighted, to continue as a "safe" destination for EU data, the UK will have to establish its adequacy in the same way as other non-European countries. Given the relatively tight timescales involved, employers should start to plan for GDPR now while the detail of precisely how it will be implemented in the UK plays out over the coming months, or even years.

At the heart of the GDPR is a desire to bring greater accountability and transparency to how organisations hold personal data.

A core aim of GDPR is to establish a "one-stop shop" for data protection with a common set of rules applying across the EU. The UK will be able to legislate domestically in certain areas, including employment.

It is not clear to what extent the UK Government will take up this option, but what seems certain is that for employers operating on a pan-European basis, local data protection requirements will vary slightly across borders.

Together with new rights for employees, including the much discussed "right to be forgotten", the GDPR imposes more onerous obligations on employers, with fines of up to a maximum of €20 million or 4% of worldwide turnover in some cases. This is a significant increase on the current maximum penalty of £500,000 in the UK. Employers will need to consider the following key points.

Currently, many employees will only have a brief clause in their employment contract, giving "consent" for the employer to hold and process their personal data.

This can already be problematic, but under the GDPR this will need a complete overhaul. It will become much harder to rely on employee's "consent" as a valid reason to hold and process data - consent will have to be informed, freely given, specific and unambiguously shown.

So a "boilerplate" clause, the kind of provision usually buried at the end of a legal agreement, is unlikely to suffice. Rather, employers should look at ways to carefully document how consent has been informed and freely given, and for what purpose, or consider other grounds on which they may justify processing the data.

Show data protection compliance

There will be increased expectations on employers' governance and record-keeping, such as carrying out data protection impact assessments when initiating a new project or system and implementing data protection policies.

Employers will need to show that data protection compliance has been considered appropriately. In certain circumstances, businesses will have to designate a Data Protection Officer.

Consider data protection

The GDPR requires businesses to understand and consider data protection in all new projects and technology, and be able to demonstrate that the impact on individuals has been considered and taken into account. This has particular significance given that every employer will hold substantial amounts of sensitive personal data, eg sickness records.

Permit employees to restrict how their data is used

Individuals will have much greater rights, including increased rights to object to certain processing, and the right to be forgotten, to have data corrected and to restrict how data is used. There are also far more obligations on employers to inform employees where and how data will be held and used as part of "fair processing" notices.

Respond quickly to subject access requests

Subject access requests rights will be expanded and employers will have an obligation to comply with them without undue delay and within one month (against the current 40-day period), with a potential extension of up to two additional months.

Individuals will also be able to request their data in commonly used electronic formats.

Crucially, however, if a subject access request is "manifestly unfounded or excessive" employers will be able to charge a "reasonable" fee to cover administrative costs or refuse to comply entirely.

Ensure suppliers that process data are compliant with GDPR

Currently, suppliers that process data, perhaps a payroll bureau, have very limited liability for data compliance. That changes under GDPR. Data processors will be directly liable for some breaches of the rules. That does not, however, remove the onus on data controllers to ensure compliance; they too can be held responsible for failing to protect and use data responsibly.

Removal or requirement to inform ICO annually

The administrative burden of having to inform the Information Commissioner's Office annually of a business's data processing activities and pay the fee has been removed. In practice the increased governance and record-keeping obligations balance this change.

Mandatory data breach notification will be introduced for all data controllers who will need to inform the ICO within 72 hours of a data breach. The only exception being where there is a low risk of causing harm to individuals.

Although the rules will not be effective until 2018, given the amount of data processed by employers they would be wise to start preparations now. At this stage, you should do the following as a minimum:

  • Identify all the existing systems and contexts in which personal data is gathered, held and processed.
  • Appoint relevant personnel and advisers to ensure they understand the legal basis for processing data under the GDPR.
  • Review key employment documents, including contracts and handbooks, to update those provisions that relate to the processing of personal data.
  • Identify what other practical steps should be taken over the next 18 months to ensure they are ready for GDPR.

Andrew Yule and Nancy Dickie are partners at Winckworth Sherwood.