Andrew Yule explains what businesses must do to prepare for stricter data protection rules.
In an increasingly globalised workplace, the processing and international transfer of data has become routine. This includes the cross-border transfer of personal data for the purposes of HR and other outsourced services or, for example, to an employer’s HQ in the US.
However, two signifiant legal developments are dramatically changing how organisations and, in particular, employers must think about the adequacy of their data processing systems and security – Safe Harbour and the General Data Protection Regulation (GDPR).
Under European law, the transfer of personal data (including employee data) to a third, non-EU country may only take place if the recipient ensures adequate protection.
Until recently, adequate protection for data transfers to the US was effectively self-certifid by recipient companies, under the Safe Harbour scheme. However, this scheme was struck down by the European Court of Justice earlier in the year.
The ruling affected over 4,000 self-certifid US companies and their EU counterparts and has left a great number frantically reviewing their approach to EU-US data transfers, to try to ensure that data is transferred in a compliant and secure manner.
There are temporary solutions, including using standard contractual provisions in relevant documentation, consent and statutory derogations, but these are not perfect for the medium or longer term.
The US and EU have, in the meantime, been engaged in accelerated negotiations over a new ‘Privacy Shield’, which will be based on the same principles as Safe Harbour, with a view to meeting the underlying requirements of the strict EU Directive as regards data transfer.
However, the way in which those principles are implemented and the hurdles for compliance are likely to be signifiantly stricter under the Privacy Shield. It will also be subject to an annual review. Businesses taking advantage of it will need to ensure they stay abreast not only of the terms of its initial incarnation, but also all the ways in which its requirements evolve over time.
Complaint and enforcement protocols will also be introduced. These are likely to include strict deadlines for responding to complaints, plus powers to monitor and refer them.
Whatever the precise form the fial Privacy Shield takes – EU member states are set to start reviewing the details next month – and unlike the Safe Harbour system, businesses will be unable to think of self-certifiation as a one-time event. The rules are likely to be signifiantly stricter and compliance will require careful, ongoing monitoring and review.
Businesses in the UK must also start to grapple with changes that will be introduced by the new General Data Protection Regulation (GDPR), due to come into force in 2018.
The objective of the GDPR is to establish a common set of rules across the EU for data protection and to introduce tougher enforcement rules, with penalties potentially running into many millions of Euros.
Businesses already process avery signifiant amount of data in relation to their employees, such as payroll data, computer log-on data, communications and CCTV footage, to mention some obvious examples. Therefore, all UK businesses must start to think about what steps they should be taking now to prepare to be compliant.
The requirements for compliance under the Regulation will involve a greater focus on the legal basis for the processing of personal information; more extensive and complete records and information; new policies and practices; and an extension of the rights of data subjects (including employees).
With the GDPR, consent will take on much greater importance. It has been relied on under the existing law, as a relatively simple way to establish a legal basis for processing personal data, by way of a simple contractual term. However, the new Regulations will be much stricter – consent must be freely given, specifi, informed and unambiguous and it will be for the data controller/employer to show that this has been achieved.
Alongside tighter rules as regards the basis for lawful processing of personal data, the rights of data subjects (including employees) will also increase. Data subjects will acquire additional rights to compel deletion, rectifiation and restriction on processing, to name but a few.
Although the rules will not be effective until 2018, given the amount of data that employers and other businesses currently process, they would be wise to start to prepare now. At this stage, this could include at least: identifying all the existing systems and contexts in which personal data is stored and processed; appointing relevant personnel and advisers to ensure that they understand the legal basis for processing data; and identifying what practical steps should be taken over the next 12 to 24 months to ensure that they have appropriate systems in place.
Andrew Yule is a Partner at Winckworth Sherwood LLP.