The new European Commission data protection proposals

by Laurie Anstis on February 1, 2012

Last week, the European Commission put forward its long-awaited proposals for reform of data protection law.

This is possibly the only law reform proposal to be launched with its own cartoons and micro-site,  but what does it mean for HR?

There is a lot to these new proposals, but here are my top five points on what these new proposals mean for HR:

1. No more notification

There will be no need to “notify” the Information Commissioner that you are processing personal data. Previously known as registration, this requirement will be abolished altogether, saving large organisations a £500 fee.

2. Data security 

Under the new proposals, any “data security breach” must be notified to the Information Commissioner and any affected individuals within 24 hours of it coming to light. There will be a positive obligation to report the USB stick or CD left in a taxi or train.

Personal data held and processed on computers must also be protected against unauthorised access or use, backed up, and records must be kept of any alterations or deletions of personal data. In practice this is going to force all but the smallest employers to use modern HR software that provides access control and data audit trails. Expect the software providers to be very happy about this.

There will be penalties of up to 2% of the global annual turnover of the organisation for serious breaches of the new law.

3. Data protection policies

Individuals are going to be entitled, up front, to more information about why their personal data is being collected, what is going to be done with it and how long it is going to be kept for, along with details of their rights in respect of that data and details of their rights to complain. This is going to mean a need for full data protection policies and information to be given to workers (and job applicants) up front. These policies cannot be in legal-ese. They must be in “clear and plain language” (good luck with that one, lawyers).

“Explicit” consent must be given to data processing under the new proposals, which is going to require some sort of definite action by the individual giving consent, rather than consent simply being assumed.

4. The “right to be forgotten”

It used to be impossible to delete a Facebook account – the account could only be suspended. Deletion is now possible,  but this “right to be forgotten” is clearly directed at the various US-based web companies that make it as hard as possible for you to delete an account.

Even so, this right will apply to HR records too. Former employees will be entitled to have their records deleted on request. This could even extend to back-ups carrying historic data. We can expect arguments about whether it is necessary for the employer to maintain such records in case of, say, a tribunal claim.

5. The “data protection officer”

Organisations will now have to designate a “data protection officer” who takes responsibility for the organisation’s data processing. The HR director in many organisations may well be the first person the organisation looks to to “volunteer” for this role.

In common with the current law, it looks like there will be stricter requirements on the processing of “sensitive” data such as information relating to health, which HR might need.

These proposals are not expected to become law for several years. They may well be delayed or amended as they make their way through the legislative process. Even once approved at European level they will still need to be implimented in the UK, and the precise wording of the UK law will be important in setting out the obligations of employers. However, sooner or later most of this can be expected to become law.