We now have less than a year to go before the General Data Protection Regulation comes into force on 25 May 2018, replacing the Data Protection Act 1998.
This EU law has already caused some controversy and will likely continue to do so beyond its implementation, given the familiarity that organisations have with the procedures brought into force by the Data Protection Act.
Importantly, even though Article 50 of the Treaty of Lisbon has been triggered and the UK will be leaving the EU, businesses and organisations in the UK will still need to adhere to the provisions within the General Data Protection Regulation. In addition to this, it is likely that the Regulation will remain in force once the Brexit process has been completed, albeit possibly in an altered form.
Naturally, data protection affects a wide range of areas and, whilst this note addresses the General Data Protection Regulation, its focus is purely on the impact on employment law.
The effect on employees
Interestingly, the provisions of the Regulation only bind parties with equal bargaining power. Therefore, an employee cannot give consent for his or her personal data to be processed by an employer, purely on the basis that the contractual relationship between employer and employee is not an equal one. Ironically, even where an employee does give consent for his or her information to be processed, it is likely that consent may not be deemed to be valid, on account of this imbalance of power.
However, employees are still likely to be affected by the way their employers implement the Regulation, with one clear example being the manner in which employers will accept subject access requests by an employee to view their personal records. Another example may also include employees having to learn new technological and other systems, so as to assist their employers in protecting certain forms of internal and external data provided to them.
Therefore, one of the realities of this change is that employees are also likely to be drawn into the mechanisms by which the Regulation is implemented, regardless of whether those mechanisms directly affect the relationship between employee and employer or the way in which they perform their work.
For instance, the Regulation requires employers to appoint a data protection officer with protected employment status in some EU member states. This could very well see the roles of HR professionals being expanded and, particularly in larger businesses and those with more reliance upon the European market, other officers may be required to assist the data protection officer in meeting his or her reporting duties.
The effect on employers
Admittedly, the parties with the most to do in preparing for the changes under the Regulation and those potentially with the most to lose for failing to implement these changes will be employers, regardless of their size and structure. Employers should also note that they will be affected by the Regulation not simply in their role as employers, but also during the course of conducting their business as well.
The good news is that the procedures and processes that were originally brought into effect by the outgoing Data Protection Act have helped to generally prepare employers for this significant change, but more preparation will still be required.
The main message for employers, therefore, is not to overlook this Regulation. It is important and it will be the law. Bearing in mind that, under the current system, the maximum fine for a failure to follow the law on data protection is £500,000 and the Regulation will grant greater investigatory powers and impose tougher sanctions (financial or otherwise) on those who fail to comply, it is best for businesses and employers to prepare themselves now.
In respect of their employees, employers should note that, even with the most co-operative of employees, it will not be possible to rely upon direct or presumed consent to share that employee’s personal information, owing to the imbalance of bargaining power between employer and employee.
Employers will therefore need to keep a tight check on their own internal and external policies and systems, both technological and otherwise, to ensure that the data of their employees is kept secure and away from prying eyes.
This may present key difficulties where, for example, an employer is faced with an employee who may have a disability or who has an unspecified disability. How far should an employer go to press job applicants and employees for information on illnesses and conditions that they may have? And, even where such information has been disclosed, who within the business structure should be entitled to know such information?
Employers will need to upgrade or introduce systems by which those who need to access such information may do so, such as line managers and immediate colleagues, whilst ensuring that the information (which constitutes data) is not shared any further than needs be.
Employers will undoubtedly be kept on their toes by such issues, not merely in keeping the lid on the sharing of employees’ personal information, but also in developing and expanding risk assessments to ensure that personal data is contained appropriately.
Whilst the ways in which the General Data Protection Regulation could affect the key relationship between employer and employee may appear daunting on first glance, what is clear is that, from an HR perspective at the very least, employers will need to continually review and develop their existing policies to discharge their duty to protect the personal information of their workforce.
This article is not a substitute for legal advice on specific facts and circumstances. It is designed as a free update on the law at the time of publishing. Knight Polson Limited trading as QualitySolicitors Knight Polson accepts no responsibility for reliance on this article and recommends that you seek independent legal advice on your specific circumstances prior to taking any steps.