Privacy Reigns – The New Data Protection Regime
The most significant development in data protection law for many years, the General Data Protection Regulation (GDPR), came into force in May 2016 and must be implemented by organisations by 25 May 2018. The GDPR increases individuals’ rights and imposes greater obligations on organisations. Organisations that do not comply will be liable to hefty fines depending on the type of breach, potentially up to 4% annual worldwide turnover or €20m, whichever is the greater.
The GDPR will apply despite Brexit. The implementation date is prior to the UK’s departure from the EU and the recent Queen’s speech indicated there would be a new Data Protection Bill to replace the Data Protection Act 1998 and implement the GDPR, putting the UK in a position to maintain the ability to share data with EU member states after Brexit.
The key changes can be summarised as follows:
Higher standard of consent
Many employers currently justify the processing of personal data based on employee consent. Under the GDPR, the threshold for valid consent will be higher and will be valid only if it is given freely and is a specific, informed and unambiguous indication of the individual’s agreement to the processing of his or her personal data. Free consent implies that it can be revoked at any time. The recitals to the GDPR state that consent may not be freely given where there is an imbalance of power such as an employer-employee relationship. Employers will therefore need to move to one of the other legal grounds for processing employee data. This could be contractual necessity (most employee personal data will be processed for the purposes of performing the employment contract); a legal obligation (e.g. in relation to social security); or the legitimate interest of the employer (e.g. employee monitoring).
More detailed privacy notices will be required. For example, notices should include:
- the lawful basis of processing;
- how long data will be stored for;
- details of the individual’s right of access, right of rectification, right to object to processing and to request erasure of personal data.
Organisations must report any data protection breach that is likely to result in a risk to the individual (e.g. identity fraud) to the Information Commissioner’s Office within 72 hours. A report must also be made to the individual if the breach is likely to result in a serious risk to that individual.
Enhanced rights for individuals
Enhanced rights include the following:
- Access rights - the £10 fee will be removed and individuals will be able to seek access to their personal data free of charge. Organisations will be able to refuse requests that are excessive or are manifestly unfounded.
What should employers do now?
- Rectification - individuals already have the right to have inaccurate personal data rectified. This right is extended under the GDPR to have incomplete data completed. This is a valuable right as partial data can give a misleading or false impression.
- Erasure - where personal data is no longer necessary, an individual has the right to require its erasure. It also applies, for example, where an individual withdraws consent to its processing and there is no other ground on which it can be lawfully processed. Where an organisation has made the personal data public and is obliged to erase it, it must inform other data controllers. There are exemptions from the right to erasure e.g. where the data is needed for legal proceedings or for the purposes of securing freedom of expression.
Although the GDPR does not need to be implemented until next year, the scale of the changes means employers need to be taking steps now to assess current practices and identify any gaps with the GDPR. Employers should:
- Conduct a data audit in order to get a sense of the different types of information being processed and the reasons why it is being processed;
- Assess the legal basis for processing and, where consent is relied on, check whether this is still valid;
- Conduct privacy impact assessments;
- Check what documentation is in place e.g. privacy policies, security procedures for dealing with rights and breaches and update these where necessary.