This is an update of our April 2016 Newsletter

Introduction

On the 4 May the European Parliament - after years of discussion – together with the other EU institutions, agreed on the text of the EU's successor privacy legislation: the General Data Protection Regulation ("GDPR").

The GDPR will replace the 'patchwork quilt' of 28 different EU Member States' laws with a single, unifying data protection law, which should lead to significantly greater data protection harmonisation throughout the EU. 

In addition to harmonising the EU data protection legal framework, its main objectives are threefold: 

  • First the GDPR increases the rights for individuals;
  • Secondly, it strengthens the obligations for companies;
  • Thirdly, the GDPR dramatically increases sanctions in case of non-compliance. Data protection regulators will have the powers to impose fines up 20.000.000 EUR or 4% of the total worldwide annual turnover. Add to that the possibility for the regulators to impose a ban on processing or the suspension of data transfers, the risk of class actions, criminal sanctions and reputational damage, and it becomes clear that not complying with the GDPR will not be an option. 

For these reasons, it is fair to say that the GDPR is the most important change in data privacy law in the last twenty years. 

Moreover, it will affect all businesses, all over the world - as every organisation has employees and contacts, even if they don't have individual customers. 

In this article, we will provide a recap of the most significant changes that the GDPR will bring from an HR perspective. Employers process lots of HR related personal data on a daily basis. How will they be affected by the GDPR and what steps should they take to become compliant with this new set of rules?

Where do privacy and HR meet on the workfloor?

Keeping the balance between the protection of the privacy of the workers and the prerogatives of the employer can be tricky in several circumstances such as in scenarios of body searches on workers camera surveillance, geolocation, interrogation of workers, hotlines, the use of internet, email and social networks, etc .... There are many laws that apply to this matter.  Furthermore employers also process private information about their employees.

Below you will find an overview of the main aspects of the GDPR for the HR function

Increased rights for individuals

  • The GDPR significantly enhances the rights of data subjects. Firstly, with regard to the right to information, employers will need to provide more detailed information as to the how and why of the processing of HR related personal data. This long list of information to be provided aims at giving more transparency to the processing of data and by doing so enhancing security. 
    Secondly, employees have a right of access to their data and a right to have inaccurate data rectified. These existing rights have been modified in order to bring more clarity but they are not extended that much;
  • The GDPR also introduces a new "right to be forgotten" and the new right to portability.

Strengthened conditions regarding the consent

  • It will become more difficult for employers to obtain a valid consent from their employees to process personal data in the HR context. As a result, employers must seek alternative legal grounds, such as 'the contractual necessity' or 'the employers' legitimate interest'.

Strengthened obligations for organisations

(a)     Mandatory notification of a data breach to the Protection Authority and individuals within 72 hours;

(b)     Appointment of (mandatory) data protection officers;

(c)     Privacy impact assessments, privacy by design et privacy by default;

(d)     Requirement to keep the records concerning the processing of personal data.

Increased enforcement and higher fines

New powers given to Data Protection Authorities (e.g. audit rights) and fines up to the higher of 20 million EUR or 4% of the global worldwide turnover.

Direct obligations for data processors (sub-contractor processing data on behalf of the controller)

E.g. Social secretary, suppliers of whistleblowing programs, cloud service providers

Required actions for HR professionals

  • Mapping of all the data processed by HR;
  • Analysing the gap between the actual process and the new regime requirements;
    • Employment contracts, Privacy Policy, acceptable Internet use policy;
    • The processes carried out on basis of consent as today, a lot of companies process personal data of employees on the basis of their consent. The GDPR wants to re-inforce the value of consent given by a data subject. It therefore requires that consent is given unambiguously;
    • Contracts for service providers dealing with HR data. 

The GDPR is enabling a two year transition period for implementation. However in reality, rules will be applied sooner as Belgium will implement parts of GDRP into national law already in 2016 as well as regulators will start implementing some parts of the Regulation before the entry into force of the GDPR. Anyway organisations implementing new processing activities in the coming two years should already take the new legal framework into account. Given the significance of changes, there is thus no time to lose. 

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.