DATA SECURITY
12
PRINT.IT
01732 759725
In an increasingly globalised
workplace, the processing and
international transfer of data has
become routine. This includes the
cross-border transfer of personal
data for the purposes of HR and
other outsourced services or, for
example, to an employer’s HQ in
the US.
However, two significant legal
developments are dramatically
changing how organisations and,
in particular, employers must think
about the adequacy of their data
processing systems and security –
Safe Harbour and the General Data
Protection Regulation (GDPR).
Safe Harbour
Under European law, the transfer of
personal data (including employee
data) to a third, non-EU country
may only take place if the recipient
ensures adequate protection.
Until recently, adequate
protection for data transfers to the
US was effectively self-certified
by recipient companies, under the
Safe Harbour scheme. However,
this scheme was struck down by
the European Court of Justice
earlier in the year.
The ruling affected over 4,000
self-certified US companies and
their EU counterparts and has left
a great number frantically reviewing
their approach to EU-US data
transfers, to try to ensure that data
is transferred in a compliant and
secure manner.
There are temporary solutions,
including using standard contractual
provisions in relevant documentation,
consent and statutory derogations,
but these are not perfect for the
medium or longer term.
The US and EU have, in the
meantime, been engaged in
accelerated negotiations over a new
‘Privacy Shield’, which will be based
on the same principles as Safe
Harbour, with a view to meeting the
underlying requirements of the strict
EU Directive as regards data transfer.
However, the way in which those
principles are implemented and
the hurdles for compliance are
likely to be significantly stricter
under the Privacy Shield. It will also
be subject to an annual review.
Businesses taking advantage of
it will need to ensure they stay
abreast not only of the terms of
its initial incarnation, but also all
the ways in which its requirements
evolve over time.
Complaint and enforcement
protocols will also be introduced.
These are likely to include strict
deadlines for responding to
complaints, plus powers to monitor
and refer them.
Whatever the precise form the
final Privacy Shield takes – EU
member states are set to start
reviewing the details next month
– and unlike the Safe Harbour
system, businesses will be unable
to think of self-certification as a
one-time event. The rules are likely
to be significantly stricter and
compliance will require careful,
ongoing monitoring and review.
The GDPR
Businesses in the UK must also
start to grapple with changes that
will be introduced by the new General
Data Protection Regulation (GDPR),
due to come into force in 2018.
The objective of the GDPR
is to establish a common set
of rules across the EU for data
protection and to introduce tougher
enforcement rules, with penalties
potentially running into many
millions of Euros.
Businesses already process a
Andrew Yule explains what
businesses must do to
prepare for stricter data
protection rules.
Data, data, everywhere…
but are we compliant?
The US and
EU have been
engaged in
accelerated
negotiations
over a new
‘Privacy Shield’,
which will be
based on the
same principles
as Safe Harbour
very significant amount of data in
relation to their employees, such as
payroll data, computer log-on data,
communications and CCTV footage,
to mention some obvious examples.
Therefore, all UK businesses must
start to think about what steps they
should be taking now to prepare to
be compliant.
The requirements for compliance
under the Regulation will involve
a greater focus on the legal basis
for the processing of personal
information; more extensive and
complete records and information;
new policies and practices; and
an extension of the rights of data
subjects (including employees).
With the GDPR, consent will
take on much greater importance.
It has been relied on under the
existing law, as a relatively simple
way to establish a legal basis
for processing personal data, by
way of a simple contractual term.
However, the new Regulations will
be much stricter – consent must be
freely given, specific, informed and
unambiguous and it will be for the
data controller/employer to show
that this has been achieved.
Alongside tighter rules as regards
the basis for lawful processing of
personal data, the rights of data
subjects (including employees) will
also increase. Data subjects will
acquire additional rights to compel
deletion, rectification and restriction
on processing, to name but a few.
Although the rules will not be
effective until 2018, given the
amount of data that employers
and other businesses currently
process, they would be wise to start
to prepare now. At this stage, this
could include at least: identifying all
the existing systems and contexts
in which personal data is stored
and processed; appointing relevant
personnel and advisers to ensure
that they understand the legal basis
for processing data; and identifying
what practical steps should be taken
over the next 12 to 24 months to
ensure that they have appropriate
systems in place.
Andrew Yule is a Partner at
Winckworth Sherwood LLP.
Safe Harbour:
over 4,000
US companies
are affected by
changes to the
rules
