Are you ready for the General Data Protection Regulation?
Significant changes are on the horizon - the EU General Data Protection Regulation (‘GDPR’) comes into force on 25 May 2018.
The GDPR will:
- expand the territorial scope of data protection laws;
- increase the penalties for transgressions to up to €20,000,000 or 4% of worldwide turnover, whichever is higher; and
- radically change the processing, recording and other compliance obligations of businesses.
Here are 11 ways to start getting your workplace ready:
1. Map and audit HR data and processes
Start determining what workforce data you process and why, where you send it and who you share it with. This will help to inform decisions about the legal basis for processing such data in future.
To do this you should conduct a data-mapping exercise, a process that shows how data from one information system transfers to another, and an audit. Audits assess your data protection practices by looking at whether you have effective policies and procedures in place, whether you are following them and identifying where improvements could be made.
2. Make sure your third-party processors are also compliant
The GDPR imposes more onerous obligations to ensure that the right contractual guarantees are in place when organisations appoint data processors, so these agreements should be reviewed and overhauled as part of the audit process. You should start by identifying your data processors, such as payroll providers, and reviewing the contractual terms. Your audit should review what due diligence you have in place to vet third-party processors prior to appointment and check that the written agreements you have with them meet compliance requirements. Where you share data with other controllers, you should also examine the protocols in place.
3. Establish a cross-border inventory of data flows
Catalogue your cross-border workforce data flows, in order to consider your approach to overseas transfers in light of recent developments such as the EU-US Privacy Shield (the current framework for exchanges of personal data between the USA and the EU, replacing the Safe Harbor principles) and challenges to model clauses (EU-approved contractual clauses which can be put in place between the data exporter and recipient ensuring protection of the data).
4. Appoint a data protection officer
Companies whose core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale have to appoint a data protection officer. This must be a person with expert knowledge of data protection law and practices, whose job is to monitor internal compliance with the GDPR. This person has to be independent and will gain a number of workplace protections, similar to a Trade Union or Works Council representative.
Even if you are not required to appoint a data protection officer, it is advisable to appoint somebody within your organisation to monitor any data processing to ensure that it complies with your GDPR obligations, given the potential level of fines under the new regime. Although in these circumstances it is best not to call them a ‘data protection officer’, as this would mean that even if they are not a mandatary data protection officer they could be entitled to all of the same rights and protections.
5. Don’t rely on consent to justify your processing (where possible)
Many employers currently rely on employee consent to justify all their workforce data- processing activities, by including a clause in the employment (or freelancer) contract at the outset of the relationship. This will be problematic under the GDPR, which incorporates the long-held view of the European regulators that consent to processing in the context of a contractual employment relationship cannot be considered as freely given.
Under the GDPR, consent must be actively and freely given to be a valid basis for data processing – silence or inactivity do not count. The GDPR also states that where consent is given in a written declaration that also deals with other matters, the request for consent must be clearly distinguishable from those other matters and in an intelligible and accessible form. It must be as easy to withdraw consent as it is to give it, and if there is a clear imbalance between the parties, such as in an employment relationship, consent is presumed not to be freely given. It is clear from all these factors that signing an employment contract with a general consent clause cannot amount to freely given consent. Moreover, typically, insufficient information is given in employment contracts to meet fair-processing requirements under the current law, let alone when the GDPR comes into force.
Another reason to move away from consent as a basis for processing is that it will trigger certain rights on the part of the employee. For example, employees will be able to retract their consent at any time, preventing data controllers and processors from processing their data.
Fortunately, consent is only one of a number of valid conditions for processing personal data. Conducting an audit will enable you to identify the various types of workforce personal data you need to process in the course of the employment relationship and you will be in a better position to find another valid basis for the processing. To take a straightforward example, employees’ bank details are needed to pay salary but this processing can be justified on the basis that it is necessary for the performance of the contract rather than through consent.
Another example would be monitoring employees’ use of IT systems for data security reasons. Seeking consent to do this could cause problems, as it might be withheld or revoked. Instead, you could justify the processing on an alternative ground, such as your legitimate interests (depending on the reasons for the monitoring), or your legal obligations to maintain the security of the data that you handle. Similarly, performance management data about employees could be justified for the purposes of legitimate interests pursued by the data controller.
Employers should in future rely more heavily on these alternative bases for processing data. On the rare occasion where it remains necessary to obtain consent to process data, employers should consider carefully what specific information they must provide to the data subject when seeking consent. Where consent is obtained, it must be given actively, separately and freely – and the employer must be able to evidence compliance.
Whilst employers may move away from having a general, all-encompassing, ‘data protection’ clause in the employment contract, there are some data protection related contractual clauses they should retain – in particular, ensuring that employees are aware of their own responsibility to process personal data properly and the consequences of failing to do so. Other policies (such as “bring your own device” and data security policies), training rules and disciplinary procedures should also be double-checked to ensure that they address the issue of employee accountability.
6. Adapt your privacy notices and policies
Under the GDPR, data subjects will be entitled to receive a lot more information about their data and how it is handled than under current law. This “fair processing information” includes information about who has access to the data, why, how long it will be held for, and their rights. This means that you will have to spell out the rights of the data subject – such as the right to withdraw consent to data processing and to lodge a complaint with the data protection agency in the country concerned.
The notice must specify the purpose and legal basis for processing each category of personal data, and this should be informed by the audit you have undertaken. Existing privacy notices for your workforce will need to be considerably revised.
7. Get ready for changes to data subject access requests and think about how to respond when employe
The 40-day time limit for responding to data subject access requests (‘DSARs’) is being reduced to one month. If requests are complex or there are a number of requests from the same source, this limit can be extended by a further two months. A ‘reasonable fee’ can be charged if the request is manifestly unfounded or excessive.
It is advisable to have a process which logs and tracks DSARs. You may need to introduce such processes if you do not already have them.
Responding to DSARs is often complex and you should train appropriate individuals to handle them, to apply consistent principles when making objections and to ensure that third party data is handled appropriately. Depending on the size of your organisation, this may be one person or a team, most typically in HR or legal. Data subjects will have a right to access more information about how their data is processed under the GDPR and so you should review any existing training provided to those handling requests to ensure that you remain compliant.
8. Make sure you’re ready for ‘Privacy by Design’
The GDPR requires organisations to implement policies, procedures and systems at the outset of any product or process development to ensure data protection compliance (“privacy by design”). Privacy impact assessments will be required where there is a high risk to the rights and freedoms of data subjects, in order to establish whether any proposed processing is reasonable in the circumstances. Some HR activities may fall within those regarded as high risk.
As a general rule, recording how you balance the conflicting interests and rights of data subjects against your business’s rights or those of other data subjects is a central theme of privacy compliance. Impact assessments which record how you arrived at a particular decision are recommended.
9. Data breach management
Organisations will have to notify relevant data breaches to a supervisory authority within 72 hours. They should therefore give very careful thought to breach prevention and ensuring that any breaches are handled in the right way. This involves raising awareness of data handling issues, training staff on appropriate behaviour and ensuring staff know what they need to do in the event of a data breach. It will also be necessary to implement joined-up training across multinationals, as a breach may concern more than one jurisdiction.
This has already been mentioned but it deserves a heading in its own right – key topics are data awareness, data security, and subject access. The entire workforce should be trained in data awareness and you should record who has received it. Those with specific responsibilities to handle personal data should receive enhanced training.
11. Consider who your lead regulator will be
The lead regulator is the supervisory authority in the country where the controller/processor has its main establishment. Which country should that be for your business?
Although the GDPR will not be in force until 2018, there is such a lot for businesses to do that it is important to start preparing now.
What to do next?
If you would like us to assist you getting your workplace ready, contact us.