Reform of data protection law has been on the agenda since 2012. After years of debate and numerous drafts, a new General Data Protection Regulation (“GDPR”) was approved by a plenary vote of the European Parliament on 14 April 2016. It will come into force in May 2018 and will replace the Data Protection Act 1998.
Why should we care?
The main impact of the GDPR will be to force businesses to take data protection seriously. This is mainly a result of the massive fines for non-compliance. The GDPR carries with it fines of €20m or, if higher, up to 4% worldwide turnover.
The main changes to impact employers are:
- For pan EU businesses “one stop” home state regulation
- New rules (yet to be confirmed) on use of criminal records
- A move away from reliance upon consent for processing of HR data
- Far longer and more detailed privacy notices
- A statutory basis for requiring a data protection policy
- Up to 3 months (rather than 40 days) to comply with subject access requests
- New rules on profiling which may apply to workplace technology that monitors performance or productivity
- Obligation to notify the ICO replaced by a (more onerous) obligation to keep internal compliance records
- Intra-group data sharing arrangements will need to be formalised
- A statutory requirement to notify the ICO and data subjects if HR data is lost
- Businesses with large consumer focused data sets will require a data protection officer who will have enhanced anti dismissal protection.
What should we do now?
There are over two years until the GDPR comes into force and, indeed, the final official text has yet to be published. During this time HR teams should be thinking about:
- Audit. What data does the organisation hold, for what purpose, who is it shared with and where is it held?
- Security. Security standards are not changing. Most fines and litigation have been over security breaches and so invest in getting this right.
- Policy. Update data protection policies.
- Notices. Ensure that notices and consents are updated.
The outcome of the referendum may affect all of this. We believe that it is likely that aspects of the GDPR may not be implemented if the EU votes to leave the EU.