New EU data protection rules will have a major impact on employers - here are the key points

THE EUROPEAN UNION’S new General Data Protection Regulation entered into force just over one month ago and will apply with effect from May 2018.

Here we review some of the main implications for employers:

What is the regulation?

The regulation will replace the current Data Protection Directive. It applies directly in each member state, which should reduce the level of national variation in relation to data protection law.

Information

Employers must currently provide employees with certain information about the processing of their personal data, including the identity of the data controller and the purpose for which their data is being processed.

The new regulation expands on this and requires employers to also inform employees how long their data will be stored and of any data transfers to third countries. Employees must also be informed of their right to make a data access request and to rectify or delete their personal data.

Consent

Consent is often used as a legal basis for the processing of personal data. Where consent is relied upon, the consent must be freely given, specific, informed and unambiguous.

Employee consent is generally not considered by EU data protection regulators – including the Irish Data Protection Commissioner – to be valid. This is because an employee’s consent is usually not deemed to be ‘freely given’ in light of the imbalance of power between employee and employer.

The regulation reflects this position and states that in assessing whether consent has been freely given, account shall be taken, for example, of whether the performance of a contract is made conditional on the consent to processing data that is not necessary to perform that contract.

Regarding consent, it further says: “In the context of a written declaration which also concerns other matters, the request for consent must be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.”

The regulation also provides that data subjects have a right to withdraw consent at any time.

It is still best practice for employers to seek employee consent under the employment contract, but employers should be cautious about relying solely on consent to justify processing employees’ personal data.

Employers may justify the processing of employees’ personal data based on the employer’s ‘legitimate interests’ – but thought would need to be given to this.

Data access requests and officers

The regulation reduces the time limit for complying with a data access request from 40 days to one month. Under the new rules, employees will be able to make subject access requests free of charge.

‘Data protection officers’ need to be appointed by all public authorities, except courts acting in their judicial authority, and by entities involved in regular monitoring or large scale processing of sensitive data.

Their main roles are to:

• advise data controllers/processors of their legal obligations
• monitor compliance with the regulation and with data policies and related training
• be a point of contact for the regulator

They must be independent and may be employees, contractors or consultants.

Impact assessments

Employers must carry out data protection impact assessments where the processing is likely to place individual rights at high risk. The regulation contains a non-exhaustive list of instances which would require an assessment, including when sensitive personal data is being processed on a large scale or when the data controller is monitoring publicly accessible areas.

Breach notifications

If an employee’s actions result in a data breach, there is a mandatory obligation to notify the supervisory authority without delay, within 72 hours if possible. Where the breach poses a high risk to privacy rights, affected data subjects must be notified without delay.

Conclusion

The regulation will have a significant impact on employers. Breaches can result in penalties of up to €20 million or 4% of annual worldwide turnover for the previous year, whichever is greater. It is important not to underestimate the deadline for complying with the act.

Top tips

• Think about how to best recruit, train and resource a data protection officer
• Put in place clear data policies and procedures, particularly in relation to data breaches, in order to ensure timely notification
• Review clauses regarding ‘consent’ in employment contracts
• Ensure that there is a legitimate basis for the retention of data stored, and for the transfer of any data, such as in relation to HR
• Ensure privacy notices and policies are easy for employees to understand.

The content of this article is provided for information purposes only and does not constitute legal or other advice.

Ronnie Neville is a partner in the employment law and benefits team at Mason Hayes & Curran.

If you want to share your opinion, advice or story, email opinion@fora.ie.