The General Data Protection Regulation – the employers’ perspective
June 2016 | EXPERT BRIEFING | RISK MANAGEMENT
After more than four years of negotiations, the European Parliament formally adopted the General Data Protection Regulation (GDPR) on 14 April 2016. With effect from 25 May 2018, the GDPR will replace the 1995 Data Protection Directive as well as the national data protection acts of the Member States of the European Union and set the data processing framework for businesses and government authorities processing personal data about employees, customers and citizens.
The negotiation process involved the European Commission, the European Parliament and the European Council and the final result is 99 articles governing a number of different issues and situations.
Despite the significant extent of the GDPR, some details have been left for the Member States to decide and as a result a number of legislative tasks now lie ahead. Thus, the GDPR contains a great number of possibilities for adopting supplementary provisions at a national or EU level. In addition, various national acts and executive orders will have to be ‘aligned’ with the new GDPR. For that reason, over the next couple of years we will see the Member States and the national data protection authorities working to fill in the gaps relating to the new data protection practice and guidelines in collaboration with the new supranational European Data Protection Supervisory Authority.
Even though all the implications of the GDPR are not known yet, one thing is certain: all employers will be affected by the GDPR. In addition, the GDPR will affect those businesses and government authorities which process personal data about customers, citizens, etc., other than for HR purposes. In the area of employment law, the GDPR also includes a provision authorising Member States to implement specific national provisions in connection with the protection of employee data.
Not everything is new and the GDPR contains many familiar provisions. Generally speaking, a lot of the provisions in the European Data Protection Directive are re-enacted by the GDPR. This is the case for a number of provisions – from those governing the processing of personal data or data subject rights to safeguards and security measures. Some of the well-known principles which may currently form the basis of processing may therefore continue to do so in the future as well. For employers, for example, an employment contract may also, with the new regime, form the basis of the processing of various employee data. Similarly, employers may also expect in the future to receive subject access requests from their employees. And separate data processor agreements must also, in the future, be entered into with external processors – such as providers of IT services, personality tests and payroll administration services.
The GDPR also contains a number of elements which until now have not been generally used in Europe. By way of example, some data controllers are required to appoint a data protection officer to inform and advise the data controller in order to ensure compliance with the GDPR. The data protection officer will enjoy protection against dismissal. All government authorities and certain businesses must have a data protection officer.
There will also be a number of procedural requirements to replace the current notification procedure. This means, among other things, that data protection impact assessments will have to be prepared in certain contexts and that records must be kept of the personal data being processed and the purposes of such processing, etc.
In addition, there is a new requirement that government authorities and businesses must report any security breaches to the national data protection agencies on their own initiative.
As a new development, fines will be a real risk factor. The much debated fine regime has been adopted, resulting in sanctions up to the higher of €10m to €20m, or 2 to 4 percent of the businesses’ global turnover. Although the sanctions will depend on which provisions the breach concerns – and the circumstances in which such a breach takes place – there is no doubt that the intention with the new regime is to dramatically increase the level of fines compared to the former data protection acts.
The level of the potential fines alone makes it a real risk factor for businesses to breach data protection law in the future, and even though all the details are not in place, it is not too soon to begin preparing for the new data protection regime. For whatever the detailed GDPR, the precondition for compliance in this area of the law is that businesses and government authorities are actually in control of the personal data they hold. And this is easier said than done. With modern technology, personal data is collected and used to an ever increasing extent – and not all data collection operations are known even to the controllers.
The process involved in mapping the data flow of employee data alone may be an enormous task when employers need to be in control of every aspect, from data collected via access cards or data collected in HR systems, to data transfers between group companies or business partners. And, in practice, the new documentation requirements mean that it will be important to keep a clear head to ensure that the policies implemented have the right content. In other words, there is plenty of work to be done.
Further, as a result of the GDPR, employees also have an increased focus on data protection. This is already being seen in, for instance, termination situations where privacy-related issues are raised by employees and their unions. In light of the GDPR, this trend is definitely not expected to diminish.
Elsebeth Aaes-Jørgensen is a partner, and Jens Harkov Hansen and Sara Baldus are associates, at Norrbom Vinding. Ms Aaes-Jørgensen can be contacted on +45 35 25 39 40 or by email: firstname.lastname@example.org. Mr Hansen can be contacted on +45 35 25 09 41 or by email: email@example.com. Ms Baldus can be contacted on +45 35 25 53 52 or by email: firstname.lastname@example.org.
© Financier Worldwide
Elsebeth Aaes-Jørgensen, Jens Harkov Hansen and Sara Baldus