GDPR: Changes to the data protection regime
On 25 May 2016 the General Data Protection Regulation 2016/679 (GDPR) comes into force and will be directly applicable in all EU member states from 25 May 2018.
What does this mean for employers?
The GDPR will update UK data protection law, reflecting the significant changes in technology since the introduction of the UK’s current Data Protection Act in 1998.
The scope of the GDPR can be broadly broken down into three areas:
- The return of control over personal data to the users
- The simplification of the regulation of data protection
- The appointment of a data protection officer within companies where data processing is performed
To whom does it apply?
Data protection laws impose certain standards on entities who collect and control the use of personal data (data controllers) relating to individuals (data subjects).
Article 4(7) of the GDPR defines a data controller as a:
‘natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.’
Personal data is defined as any information relating to a data subject, who is the identified or identifiable person to whom the person data relates. Article 4 (1) states that a person is identifiable if he or she:
‘can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.’
Data protection legislation is applicable to all areas in which a business processes personal data, including data relating to customers, suppliers and website users.
However, the implications for data relating to employees are particularly significant, as employers are likely to process significantly more data in relation to employees than in other contexts such as, CCTV film, lift or floor access information, data on computer log on and data on websites visited, phone calls made and emails sent or received.
What changes will employers need to make?
Those employers falling under the remit of the GDPR must review privacy notices and update policies and procedures to ensure compliance with the GDPR in relation to the reporting of data breaches, subject access requests, record keeping and document maintenance.
Furthermore, public authorities or organisations whose activities involve regular monitoring of data subjects on a large scale will also need to appoint a Data Protection Officer (DPO) with expert knowledge of data protection. A DPO should be appointed per each group of undertakings in the EU and an equivalent EU representative appointed for those non EU subsidiaries targeting EU based customers. A Data Protection Officer may be employed or under a service contract.
The GDPR will also require businesses to notify the requisite National Data Protection Authority of all data breaches without undue delay and, where feasible, within 72 hours. The Information Commissioners Office acts as the National Data Protection Authority in the United Kingdom.
It is therefore recommended that companies develop and implement a data breach response plan which enables them to react promptly in the event of a data breach. This may also require the designation of specific roles and responsibilities, training for employees, and preparation of template notifications.
It may also be useful to provide training for all staff on the new legal requirements and brief senior management officials as to the increased enforcement powers exercisable by the National Data Protection Authority and when to report non-compliance.
Will this affect an EU company’s subsidiaries based outside of the EU?
Yes, the GDPR will catch all subsidiaries outside of the EU whose processing activities relate to the offering of goods or services or to monitoring data subjects’ behaviour within the EU.
The ‘monitoring of behaviour’ occurs where individuals are tracked online by techniques which apply a profile to enable decisions to be made or predict personal preferences. Organisations operating internationally must determine which supervisory authority applies to it, and where the most significant decisions about data processing take place.
Will this change when the UK leaves the EU?
When the UK leaves the EU, companies will no longer be obliged to follow EU laws and regulations. As Elizabeth Denham admitted in her first speech as Information Commissioner: ‘[t]he referendum result has thrown our data protection plans into a state of flux.’
Theresa May has stated that she intends to trigger Article 50 of the Lisbon Treaty by the end of March 2017, despite the recent High Court decision that the Government must consult Parliament before exiting the EU and the ongoing Supreme Court appeal. If this is the case, the UK will leave the EU by the summer of 2019.
It is therefore likely that when the GDPR becomes enforceable on 25 May 2018, the UK will still be a member of the EU.
When the UK leaves the EU, any UK companies with part of their operations within the EU will have to continue to abide by the GDPR. As for UK data protection law after we leave the EU, the government’s strategy has not been revealed. The possible scenarios include:
- A reversion to the Data Protection Act 1998
- The introduction of an entirely new data protection regulation
- The enactment of a mirrored version of the GDPR
Due to the need for consistency of standard in our ever increasing global economy, with many UK businesses operating in various EU countries, the latter option is the most likely scenario.
What has the Information Commissioners Office (ICO) advised?
The ICO has called for organisations to begin preparing for the incoming GDPR and has provided an overview of the GDPR, a 12-step guide for employers, and Privacy Notices, Transparency and Control Code of Practice, all of which are accessible via: https://ico.org.uk/for-organisations/data-protection-reform/.
The UK Information Commissioner, Elizabeth Denham, has stated that the ICO is committed to assisting businesses and public bodies to prepare to meet the requirement of the GDPR ahead of May 2018. She has advised that although there may still be questions about how the GDPR will work on the UK leaving the European Union ‘…this should not distract from the important task of compliance with GDPR by 2018.’
If you have any questions or would like assistance in reviewing your procedures and policies then please contact:
Partner and Head of Employment
T. 020 7227 7410
This briefing is for guidance purposes only. RadcliffesLeBrasseur accepts no responsibility or liability whatsoever for any action taken or not taken in relation to this note and recommends that appropriate legal advice be taken having regard to a client's own particular circumstances.