Despite Brexit, the UK government has indicated that it will implement the EU’s General Data Protection Regulation (GDPR), which will apply from 25 May 2018. Even if it had decided not to, companies dealing with data relating to EU citizens would still be required to comply because the GDPR will – subject to limited exceptions such as national security – affect not only organisations operating within the EU, but also to those outside the EU that offer goods and services to individuals within the EU.
The GDPR will apply to companies that fall into two broad definitions: ‘controllers’ and ‘processors’. The definitions are similar to those defined in the Data Protection Act 1998 (DPA) in that controllers say how and why personal data is processed, and processors act on the controller’s behalf.
If you are a processor, the GDPR will place specific legal obligations and liabilities on you; for example, you will be required to maintain records of personal data and processing activities.
If you are a controller, you are not relieved of your obligations where a processor is involved. The GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
While the principles are similar to those in the DPA 1988, there are some additional requirements that UK companies need to be aware of. The most significant is accountability. The GDPR requires you to demonstrate compliance by design. This means ensuring you have adequate systems, contractual provisions, documented decisions about processing, and training in place.
Pertinent to a HR manager – and, as with the DPA 1988 – the GDPR will apply to ‘personal data’ held about employees. However, the GDPR’s definition is broader. Any data that can be used to identify an individual is considered to be personal data. It can include things such as genetic, mental, cultural, economic or social information, and IP addresses. Even ‘pseudonymised’ data may fall within scope depending on how difficult it is to attribute the pseudonym to a particular individual.
Sensitive personal data known as ‘special categories of personal data’ is broadly similar to the DPA 1988 but there are some minor changes that will need to be addressed. It will include genetic data and biometric data where processed to uniquely identify an individual.
The issue of ‘consent’, where it validates the use of personal data, is also a significant development. Organisations need to ensure they are explicit when seeking consent and detail how they will use the information. An individual’s silence or inactivity will generally no longer be considered as consent.
Tips for HR professionals
HR professionals need to start acting now to ensure they’re compliant. Here’s our list of actions to consider:
- Do you need to appoint a data protection officer? Under the GDPR, some companies will be required to have one, including public authorities processing personal information; organisations whose ‘core activities’ require ‘regular and systematic monitoring of data subjects on a large scale’; or where there is large-scale processing of special categories of data.
- Do you protect privacy by design? This emphasises the importance of measures such as privacy impact assessments (PIAs). As data controllers, PIAs will assess where privacy breach risks exist and how to minimise them.
- Have you adequate systems in place to manage data breaches that may arise and to comply with the notification requirements? The GDPR requires your local data protection authority to be notified of a data breach within 72 hours of discovery.
- Will you be able to comply with the right to be forgotten if the data subject requests it?
- Will you be able to ensure compliance with the more restrictive principles of not holding data longer than absolutely necessary, and not changing how you use such data from the original purpose(s) specified?
So why is all this so important? Why do you need to consider this now? Simply, because the penalties that can be imposed will increase substantially. Depending on the ’tier’ of the breach, fines can be up to €20,000,000 or 4 per cent of the total annual global turnover, not profit, based on the preceding financial year, whichever is the greater. If that wasn’t enough, we are all aware of the effects on PR for those organisations that have recently been victims of data breaches.
So, while it seems some way off, there is a lot to be done between now and May 2018. Data controllers and processors need clarity on what data they hold and how the personal data is used. You need to make sure the systems protect privacy by design internally and externally, and that contractual provisions are in place with your clients and your service providers to ensure compliance and adequate indemnities exist.
Stephen Foster is a partner in the employment team at SAS Daniels