The European Commission has published its proposal for a new data protection law in what is widely regarded as the most significant development in this area for a generation. Tony Hadden and Grant Campbell, partners at Brodies, set out the main changes that affect HR practitioners.
The Commission's proposal is designed to bring data protection legislation up to date and harmonise the way it is applied throughout the EU. It takes the form of a Regulation (rather than a Directive). This means that the Regulation would override existing law such as the UK's Data Protection Act 1998.
1 The "home regulator" principle
The draft proposes that organisations will be responsible to their "home" national regulator, which will be the regulator that operates in the country in which they have their main establishment.
2 Taking data protection responsibility more seriously
Under the provisions contained in the proposed Regulation, organisations are required to:
- adopt policies and implement appropriate measures "to ensure and be able to demonstrate that the processing of personal data is performed" in accordance with the Regulation [emphasis added];
- engage data protection officers if they are public authorities or commercial organisations employing more than 250 people to ensure that they have "transparent and easily accessible" policies regarding both data processing and also the rights of individual data subjects;
- implement "mechanisms" to ensure that they only collect the minimum amount of data required for the specific purpose for which they are seeking to process it, and to ensure that such data is not retained for longer than is necessary; and
- maintain documentation of all processing operations under their responsibility to co-operate with national supervisory authorities, such as the UK's Information Commissioner's Office.
3 New rights for individuals
Consistent with these increased requirements on organisations, the proposed Regulation will give new rights for individuals, including:
- Enhanced rights to access personal data from organisations that are processing it.
- Enhanced rights to object to data processing and to have it stopped.
- A new right to be "forgotten". Under the new Regulation, individuals can insist that organisations erase their data where there is no legitimate interest in retaining it. Where an organisation has made that data public, it also has a responsibility to inform third parties who are processing the data that the individual has requested that it be erased.
- A right to data portability, which will allow individuals to obtain their data in a "commonly used" electronic and structured format so that it can be more easily transferred.
- A right not to be subject to a "measure based on profiling". Essentially, this right seeks to stop organisations from using automated profiling tools to profile and make decisions on individuals based on a prediction of their creditworthiness, economic situation, location, health, personal preferences, reliability or behaviour.
4 Data processors face new responsibilities
Under the current regime, statutory responsibility for complying with data protection obligations falls exclusively on the organisations that actually control the personal data. They are usually, in HR terms, the employer.
Those who simply process personal data on the instructions of a data controller are known as "data processors". These could be payroll, benefits or pension providers among others. Under current data protection law, data processors do not have statutory responsibility for the processing they do. Under the proposed Regulation, those who process personal data on behalf of others will have a number of explicit statutory responsibilities alongside controllers, including taking technical and organisational measures to protect data. In addition, if a processor processes data other than according to the controller's instructions, that processor is to be treated as if it were a controller as well (and, therefore, liable accordingly).
5 Data breach notification
Catching many of the headlines is the requirement on controllers to notify supervisory authorities of personal data breaches without undue delay and within 24 hours "where feasible". This is potentially onerous as it is not sufficient simply to inform the authority that the breach has occurred - the notification has to explain what actions the controller has taken to address the breach and mitigate its effects. Beyond notifying the authorities, controllers will have an express obligation to notify the data subjects affected where the breach "is likely to adversely affect the protection of the personal data or the privacy of the data subject".
6 Fines increase
The new regime will be backed up by fairly hefty penalties, including potential fines that elevate data protection in importance so that it is on a par with the likes of competition law.
The maximum fine is 2% of annual worldwide turnover (or €1,000,000 for individuals) for the most serious violations.
Regime change is coming to the world of data protection and HR teams should be considering their response now.
Tony Hadden is partner, employment and pensions, and Grant Campbell is partner and head of technology, information and outsourcing, at Brodies
A longer version of this article Data Protection in Europe: Regime change and why it matters to HR professionals is available from the Brodies website.