European Parliament Approves General Data Protection Regulation
The European Parliament has finally approved a new General Data Protection Regulation, after more than three years of work overhauling the EU's data protection rules.
The GDPR will replace the current EU Data Protection Directive (95/46/EC) in 2018, and contains a number of changes that will be of interests to employers. We will report in more detail on these changes in due course in a separate article.
At this stage we have decided to highlight two particular points. First, the Information Commissioner's Office has issued guidance on 12 steps companies should be taking now to prepare for implementation in 2018.
Secondly, from and employment law perspective, the GDPR will introduce stricter requirements for obtaining consent from individuals to process their data. The 'data subject's consent' shall now mean:
'Any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject… signifies agreement to personal data relating to them being processed.'
Furthermore, Regulation 7(2) states that 'if the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent must be presented in a manner which is clearly distinguishable from the other matters...'.
This may effect employers who usually obtain consent for processing personal data by way of a standard provision in their employment contracts. Employees rarely have the opportunity to negotiate the terms of their employment contracts and so have little choice but to accept the data processing provision. As the onus is on the employer to show the employee gave consent, it might be difficult to show that consent was freely given and unambiguous.
As we have said above, the GDPR is due to come into force in 2018. It will apply directly to public and private data controllers in EU member states, without the need to be implemented in national law.
Best Practice
It is recommended that employers read the guidance from the Information Commissioner's Office referred to above.
Employers will need to review their standard contracts of employment and staff handbooks to ensure that individual consent to processing data is properly given.
We shall publish a more detailed best practise communication relating to the GDPR in due course.