Categorised in: News
The General Data Protection Regulation, GDPR, to come into effect on the 25th of May 2018, aims to give control over personal data back to citizens by giving them a new set of “digital rights”. The GDPR was developed to bring data protection regulations to the 21st century, taking into account the ever-changing technology landscape.
GDPR is an EU law and it covers all residents of the European Union as well as foreign companies processing the data of EU residents. It will replace the 1995 Data Protection Directive, but unlike a directive, it does not require national governments to pass enabling legislation, so it is directly binding and applicable.
For employers, GDPR brings a number of changes to take into account when processing and handling employee data. We highlight the main changes employers must be aware of:
Under the GDPR, when personal data is collected, employers will be required to provide employees and job applicants with a privacy notice setting out the following information:
All information should be provided in a concise and transparent manner, in plain language, and be easily accessible to the subject.
Because of the subordinate nature of an employer-employee relationship, the consent approach to data processing has been heavily criticised, therefore GDPR has made the concept of consent a lot stricter.
The new regulation defines consent must be:
GDPR states that consent is not valid if there is a “clear imbalance between the data subject (employee) and controller (employer)”, that means the consent will be invalid if it is clear that either is a threat of disciplinary action or other detriment for consent refusal.
Consent can only be classed as informed if the data subject knows at least the identity of the data controller and the purposes of the data processing. As for specification, this means that if the data will be processed for multiple purposes, consent should be granted to each of the purposes individually and an all inclusive consent for multiple purposes is not valid.
Unambiguous consent means consent should leave no doubt as to the data subject’s intention to deliver this consent. It doesn’t need to be expressed, it can be inferred from certain actions. However, making it expressed provides another level of safeguarding to the employer.
Where consent is given in a written declaration which covers other matters, the request for consent must be “clearly undistinguishable” from those matters and presented in an “intelligible and easily accessible form”.
GDPR also makes it clear that the employee also has the right to withdraw consent at any time and that companies must make as easy to withdraw consent as it is to give it. If the withdrawal right is not compliant to GDPR requirements, consent will not have been validly obtained.
With GDPR, employees and prospects have the right to request their personal data to be erased if:
When an employee requests that their data is deleted, employers are also obliged to inform any third parties that the individual has requested the removal of any links to, or copies of, their personal data.
However, if the employee data is required under EU or Member State Law or if it’s necessary to establish, pursue or defend legal claims, the employers is allowed to maintain it.
Employees and prospects also have the right to receive their personal data in a structured, commonly-used and machine readable form and transmit that data to other controller without hindrance.
Under GDPR, employers must be able to prove they have complied to the data processing principles it establishes. This means companies will need to have put in place one or more data protection policies to demonstrate the data processing is carried out in accordance to GDPR. Employers should also show they have implemented the policy in question, maintaining records of processing activities, for example.
The penalties for not following the basic principles of data processing under the GDPR can go up to €20 million or 4% of your global annual turnover, whichever is greater. In case of a data breach, data controllers could face a penalty of up to 2% of their annual worldwide revenue, or €10 million, whichever is higher, in case they fail to call the data protection authority and the people affected by the data breach within 72 hours.
GDPR takes effect a little less than a year before the UK leaves the EU, therefore, UK companies must comply to the new regulation. After Brexit, in order to continue business with EU countries, companies must comply to the GDPR too.
With that in sight, a new Data Protection Bill mirroring the GDPR regulations has been put forward by the UK government in August 2017, therefore those compliant to the GDPR should be compliant with the new UK data protection law too.
Preparing for GDPR will require a combined approach by HR, legal, IT and compliance teams. Here are a few important steps to take now: