A HR PERSPECTIVE ON THE NEW EU DATA PROTECTION LEGISLATION

After years of negotiations, the EU institutions agreed on the text of the EU's successor privacy legislation: The General Data Protection Regulation (GDPR).

The GDPR will replace the “mismatch” of 28 different EU Member States' laws with one unifying data protection law which; in theory, will lead to a more consistent approach to Data Protection for all businesses across the EU.

All well as harmonizing the EU data protection legal framework, its main objectives are threefold:

• The GDPR increases the rights for individuals.
• It strengthens the obligations for companies.
• The GDPR increases sanctions in case of non-compliance. Data protection regulators will have the powers to impose fines up €20,000,000 or 4% of the total worldwide annual turnover.

It is therefore fair to say that the GDPR is the most important change in data privacy law in the last twenty years.

THE BALANCING ACT OF PRIVACY AND HR?

Sometimes it can be difficult to maintain a balance between employee’s privacy policies put in place to protect the employer’s best interests (camera surveillance, the use of internet, email and social networks, etc.…There are however several laws on these issues.

It begins with article 8 of the European Convention on Human Rights, which outlines rules concerning the protection of private and family life, the home and correspondence. Case law based on this article specifies that employees have the right to privacy, even in the workplace.

The main objective of the GDPR is to harmonize data protection laws throughout the EU. Where a collection of companies is based in several EU Member States, the rules applicable to the processing of HR-related personal data will now be universal. This is an important improvement for big multinationals, who may struggle to ensure they are compliant with 28 local variations of EU Data protection law.

There is, however, one important element that has changed with regards to personal data in the employment area. The GDPR specifically gives authorization to individual member states to implement more specific rules in respect to the processing of HR-Related personal data.

This therefore means rules relating to the processing of personal data for the likes of recruitment, performance, diversity, health and safety, medical needs etc. may still be adopted on a national level.

In short, it will remain important for HR professionals to continue to follow national law developments in the field of privacy in the workplace as well as the more generic GDPR.

WIDER SCOPE; GLOBAL IMPACT

The GDPR will not only affect the way in which employer’s process personal data of their employees, but also to HR Service Providers that process information on behalf of the employer (RPOs, Managed Services, Recruitment Companies, Payroll companies etc.)

This is an important change compared to the current legal framework, as they will all now be held directly accountable for complying with the data protection regulations.

The GDPR will also affect non- EU affiliates of a multinational depending on where the HR Data is stored or if it is accessible to affiliates worldwide.

It will therefore more important for companies to have a strong understanding of the different HR data flows both internally and externally to implement the required changes to legitimize cross-border data transfers, especially since the European Court of Justice ruled that the EU-US Safe Harbor can no longer be relied on.

WHAT CONSTITUTES CONSENT OF A DATA SUBJECT?

This is probably the most relevant element in the context of HR- Related data processing. Within the current environment, many companies process personal data of employees and potential employees based on their consent. This however is becoming more widely criticized as there have been several discussion points on what constitutes as consent given by the employee. Some argue that employees may not have a choice due to internal pressures within the company.

The GDPR therefore aims to combat this by requiring consent to be given unambiguously. This means the consent must be given freely, specifically and on an informed basis. For the consent to be deemed as valid, the information must be given freely without fear of refusal being detrimental to the employee.

Furthermore, when the consent is given through a declaration that also regulates other matters, the consent to the processing of information must be clearly distinguishable from other matters.

This therefore means that employers will need to evaluate how they collect HR-Related data. If an employer needs to rely on consent, they will need to ensure that they meet all the requirements outlined by the GDPR- keeping in mind that consent can be revoked at any given time by the data subject.

In many situations, companies will need to move to one of the other legal grounds to (continue to) process HR-related personal data. This could be the contractual necessity (e.g. for the processing of employee payment data), a legal obligation (e.g. for the processing of employee data in relation to social security) or the legitimate interest of the employer (e.g. in the context of employee monitoring).

However, these legal grounds all have their restrictions and must be closely followed. If a company cannot justify processing information on any of these grounds, it could result in the company having to cease the processing of data or alternatively limit the amount of data processed or risk being heavily fined.

INCREASED RIGHTS FOR EMPLOYEES

The GDPR significantly enhances the rights of the employee/data subject.

Employers will need to provide detailed information on how and why they need to process certain HR-Related data. This clause is designed to provide more transparency to the processing of data and by doing so, enhance the security and privacy of the data subject.

In addition, employees have the right to full access on the data held on them, as well as the right to rectify inaccurate data.

Lastly, with the implementation of the new legislation, employees can enforce their “right to be forgotten” which will require the employer to erase all personal data- unless required to be held by law.

REQUIREMENT TO DEMONSTRATE COMPLIANCE

With the implementation of The GDPR, companies will be expected to implement a number of measures such as the appointment of a (mandatory) data protection officer, carrying out (mandatory) privacy impact assessments and (mandatory) consultation with the data protection authorities before new data processing activities are commenced, as well as keeping records of all their processing activities.

These new obligations will have a significant impact on how companies approach projects that involve the processing of personal data.

IMPLEMENTATION OF A DATA BREACH NOTIFICATION PROGRAMME

Another key element that must be noted within The GDPR is that companies are now required by law to notify data breaches.

Whilst most US-based companies are already familiar with the concept, this will be an important change for many EU businesses.

If a company suffers a data breach, they are now required by law to notify the data protection regulator within 72 hours. If the notification does not take place within 72 hours, there needs to be a justification for this delay.

Regarding data breaches that concern HR- Related data, the employer is required to notify the affected employees without delay if the breach is likely to result in a high risk to their freedoms.

CONCLUSION

It is clear to see that The GDPR will significantly affect all businesses- regardless of their size.

Businesses will therefore need to analyze their current HR-Related processing activities and identify any gaps in compliance with the GDPR.  

Using this information, they will then need to update their existing procedures and implement the necessary changes to ensure they are fully compliant with the new obligations. Failure to do so will result in significant fines or restrictions on certain activities which could indirectly hinder their business activities.