The General Data Protection Regulation
The General Data Protection Regulation (“GDPR”) comes into force on 25 May 2018. The GDPR will update and harmonise data protection procedures, address new technological developments and bolster enforcement across the EU.
Following the UK’s decision to leave the EU, the current government has indicated that it will implement the GDPR to secure unimpeded data flows between the UK and the EU, particularly to underpin free trade, though it has not yet indicated whether the UK would seek an EU “adequacy” decision in Brexit negotiations or what alternative arrangements might arise.
There are several critical differences between the GDPR and the current data protection regime (the Data Protection Directive, introduced in 1995). The GDPR will enhance rights for individuals, including:
> providing them with easier access to their personal data
> providing better information about what happens to their personal data once it is shared
> a “right to be forgotten” where individuals can have their personal data deleted when the data controller has no legitimate grounds for retaining it
> a right of data portability whereby individuals can transfer their personal data to another service provider
> a right to object to profiling.
Data Subject Access Requests
Data subject access requests will continue to exist, but the employer will be required to provide additional information, namely the envisaged period of storage; details of “delete it, freeze it, correct it” rights; and the safeguards applied on a third country transfer of data. The employer will be obliged to comply within one month, with an extension of two additional months if necessary, taking into account the complexity of the request. The £10 fee will be abolished, though where a request is “manifestly unfounded or excessive” the employer may either charge a reasonable fee, taking into account administrative costs, or may refuse to act on the request altogether.
Where a data security breach occurs, under the GDPR data controllers must notify the national data protection authority without undue delay and, where feasible, no later than 72 hours after having become aware of it, unless the breach is unlikely to result in a risk for the rights and freedoms of the individuals concerned. The GDPR will also remove the requirement for companies to submit an annual registration with a national data protection authority, instead requiring them to maintain detailed documentation showing data processing compliance.
The GDPR will have a tougher penalty regime. The maximum penalty for non-compliance will be €20m or 4% of the undertaking’s worldwide turnover (compared with a current maximum penalty in the UK of £500,000).
The GDPR is likely to require organisation-wide changes for many businesses, to ensure that personal data is processed in compliance with the new requirements. Although data protection legislation applies to all areas in which a business processes personal data, including data relating to customers, suppliers and website users, the implications for data relating to employees are particularly significant, as businesses are likely to process significantly more personal data in relation to employees than in other contexts.
Changes for employers to consider include:
> ensuring that sufficient resources to prepare for the changes have been allocated
> identifying all existing data systems and personal data processed
> redesigning systems that process personal data
> updating data protection policies
> implementing a policy on retention and storage of data
> training staff on data protection responsibilities
> establishing processes for dealing with data breaches
> renegotiating contracts with third party data processors
> restructuring cross-border data transfer arrangements.