GDPR Related National Laws & Modifications
The European Union’s General Data Protection Regulation, going into effect May 25, 2018, sets a common standard for protecting personal data across the EU. It also allows member nations some flexibility to create additional provisions and limitations. Some examples, which may impact HR teams, include the ability for EU member states to:
- provide “specific rules to ensure the protection of…employees’ personal data in the employment context” (Art. 88);
- limit the transfer of “specific categories of personal data to a third country or international organization” if the country (or international organization) is deemed not to have adequate protections in place (Art. 49, (5)); and,
- “determine the specific conditions for the processing of a national identification number or any other identifier of general application” (Art. 87).
Derogations in the United Kingdom (UK)
The UK left the EU as of January 31, 2020 and is in a transition period through December 2020. The GDPR will apply through the transition period. The UK Data Protection Act 2018 (“Act”), which, implemented the GDPR in the country prior to Brexit will continue in full force beyond the transition period. The Act largely mirrors the GDPR, but the UK does have some derogations and some changes relating to Brexit:
Registering with the Data Protection Authorities: While registering with data protection authorities is no longer required under the GDPR, the UK instituted mandatory fees for some data controllers. Note that staff administration is exempt from this requirement, but there are limits to this exception (ex. it doesn’t apply to applicant data and may not apply to certain cross-border transfers).
Most employers choose to pay the small fee to the Information Commissioner’s Office. Additional information can be found below:
International Data Transfers: Per guidance (https://www.gov.uk/guidance/using-personal-data-after-brexit) put out by the UK, “During the transition period, personal data will be able to flow freely (subject to GDPR compliance), without additional restrictions, between the EU/EEA and the UK. UK organisations will still be able to send personal data legally from the UK to the EEA and 13 countries deemed adequate by the EU.”
Transferring EU employee data to the UK may become more complex, at least in the short-term. For many employers, this can mean creating or updating standard contractual clauses, also known as SCCs. This is the common practice for most 3rd party countries. SCCs are contractually agreed to personal data protection processes which help facilitate the safe transfer of personal data. The UK’s Information Commissioner’s Office (ICO) has posted guidance (https://ico.org.uk/for-organisations/data-protection-and-brexit/keep-data-flowing-from-the-eea-to-the-uk-interactive-tool/) that employers can use when considering standard contractual clauses.
In the long term, the UK plans to work with the EU to put an adequacy decision in place, which will allow the free international transfer of employee data between the UK and the EU.
Policy Documents & Security Standards: The UK’s ICO recommends that organizations adopt best practice methodologies such as ISO 27001. In addition, the UK’s Data Protection Act 2018 requires that employers put ‘appropriate policy documents’ in place, in certain cases, if they are processing special/sensitive information (e.g. performing criminal background checks). The Data Protection Act 2018 also requires that employers: have an ‘appropriate policy document’ in place, outlining and explaining the procedures for securing compliance with the principles of Article 5 of the GDPR; and, provide employees with a document outlining company data retention policies.