- 15 Apr 2016
- Jens Harkov
The European Parliament has now adopted the General Data Protection Regulation (GDPR). With effect from 2018, the GDPR will replace the Danish Data Protection Act and set the data processing framework for businesses and government authorities - both as far as employees, customers and citizens are concerned.
The European Parliament formally adopted the new GDPR on 14 April. The negotiation process preceding the adoption has taken more than four years, involving the European Commission, the European Parliament and the European Council. The GDPR contains 99 articles governing a number of different issues and situations. All employers will be affected by the new Regulation. In addition, the Regulation will affect the businesses and government authorities which process personal data about customers, citizens, etc. other than for HR purposes.
Many known elements
Generally speaking, the Regulation re-enacts a lot of the elements which are currently governed by the Danish Data Protection Act. This is true of a number of elements – from the provisions on processing of personal data over data subject rights to safeguards and security measures. A number of the principles which may currently form the basis of processing may therefore continue to do so in the future as well. For employers, for example, an employment contract may also with the new regime form the basis for processing various employee data. Similarly, employers may expect also in the future to receive subject access requests from their employees. And separate data processor agreements must also in the future be entered into with external processors – e.g. providers of IT services, personality tests and payroll administration services.
However, the Regulation also involves a range of new elements. For one thing, a "data protection officer" is introduced as a new concept who – if in the employment of the business or government authority – will enjoy protection against dismissal. All government authorities and certain businesses must have a data protection officer.
There will also be a number of procedural requirements to replace the current notification procedure. This means, among other things, that data protection impact assessments will have to be prepared in certain contexts and that records must be kept of the personal data being processed and the purposes of such processing etc.
In addition, there is a new requirement that government authorities and businesses must report any security breaches to the Danish Data Protection Agency on their own initiative.
Fines will be a real risk factor
Also the much debated fine regime has been adopted. As a result, businesses will risk sanctions up to the higher of EUR 10-20 million or 2-4% of their global turnover.
Although the sanctions will depend on which provisions the breach concerns – and the circumstances in which such breach takes place – there is no doubt that the intention with the new regime is to dramatically increase the level of fines under the former Data Protection Act. This alone makes it a real risk factor for businesses to breach data protection law in future.
Legislative review ahead
With the adoption of the Regulation, a number of legislative tasks now lie ahead. Thus, the Regulation contains a great number of possibilities for adopting supplementary provisions at a national or EU level. In addition, various Danish acts and executive orders will have to be "aligned" with the new Regulation.
In the area of employment law, the Regulation also includes a provision authorising member states to implement specific national provisions in connection with the protection of employee data.
In Denmark, the Danish Ministry of Justice is heading the legislative review. As the review process is still in its early stages, the wording of the special Danish provisions on data protection in a number of areas is not yet known.
Not too soon to begin
The detailed regulation is not yet in place, but even so it is not too soon to begin making plans for the new data protection regime. For whatever the detailed regulation, the precondition for compliance in this area of the law is that businesses and government authorities are really in control of the personal data they hold. And this is easier said than done. For with modern technology, personal data are collected and used to an ever increasing extent – and not all data collection operations are even known by the controllers.
The process involved in mapping the data flow of employee data alone may be an enormous task when employers need to be in control of every aspect from data collected via door cards over data collected in HR systems to data transfers between group companies or cooperation partners. And, in practice, the new documentation requirements mean that it will be important to keep a clear head to ensure that the policies implemented will have the right contents. In other words, it is not too soon to begin to prepare for the new data protection regime – even if it does not take effect until in 2018.
Norrbom Vinding will follow the process closely and report on any developments.