Although companies are not obliged to appoint a Data Protection Officer before May 2018, we are often asked to already provide Data Protection Officer services now – to help with GDPR implementation. So we started offering ‘ early Data Protection Officer appointment ‘.
Early Data Protection Officer appointment means that your appointed Data Protection Officer is not a statutory but rather an in-house function like any other officer that you appoint in your company. However, such a Data Protection Officer would be expected to monitor data protection compliance and offer support in the privacy field in a way similar to a GDPR Data Protection Officer.
Monitoring step-by-step GDPR implementation
That said, an early-appointed Data Protection Officer would primarily monitor step-by-step implementation of GDPR rules in the company, and provide advice and support in that regard. Early Data Protection Officer appointment can also help provide the necessary data protection training that is not generic but tailored to the needs and policies of your company.
Advise, monitor, communicate
Data Protection Officer GDPR task to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to GDPR and to other Union or Member State data protection provisions will before 25th May 2018 be focused on adapting policies and processes to the new rules. Similarly, monitoring compliance with the same three sets of obligations and with the policies of the controller or the processor itself will focus on GDPR-readiness and gap analysis.
The early appointed Data Protection Officer might already be the best person in the company to communicate with the national supervisory authority i.e. the ICO in the UK or the IOC in the Republic of Ireland, as foreseen by GDPR. However, keep in mind this role might require express power of attorney.
Are you considering early Data Protection Officer appointment to prepare you for GDPR? Check out Aphaia’s Data Protection Officer outsourcing services.
We are often asked by clients and prospects what happens to UK data protection laws after Brexit? Our regular answer ‘not much’ has proven to be correct: the proposed UK Data Protection Bill and GDPR are meant to be aligned with each other.
Indeed, anything else would put UK businesses at a disadvantageous position in terms of not being able to exchange data freely with the EU after Brexit. And keep in mind this is one of the easy areas, where Brexit negotiations results might not matter all that much: once UK laws are as favourable to individuals as the GDPR, European Commission is likely to allow unrestrained data exports to the UK regardless of any new EU-UK relationship.
The new UK Data Protection Bill and GDPR are aligned when it comes to penalties, one of the GDPR’s underlying new policies potentially targeting international web giants: maximum penalties £17 million or 4 % of global turnover resemble €20 million and the same percentage of the GDPR.
Obtaining consent becoming more difficult
UK Data Protection Bill and GDPR both put focus on consent for personal data processing, which is no longer a formal, box-ticking exercise. Issues such as easy withdrawal of consent, children’s consent or consent to process sensitive personal data are all the focus of both the UK Government and GDPR. Children and adults may also choose to be ‘forgotten’ by social media platforms.
Broader definition of personal data
In the same way as some other EU countries have already done, UK Data Protection Bill is expanding the definition of ‘personal data’ to include IP addresses. This is so because ISPs and other entities can easily identify and trace individual users when they know their IP addresses. Furthermore, the definition would expressly include internet cookies and DNA.
Aphaia specialises in helping organisations with their GDPR adaptation plus acts as outsourced Data Protection Officer in line with the GDPR requirements.
In the run-up to the implementation of the GDPR in 2018, Article 29 Working Party published a detailed Opinion on data processing at work. The text sheds light on key GDPR employment data processing issues.
Technological tools of profiling and monitoring employees’ behaviour are plentiful and enable an increasingly intrusive way of monitoring. Some examples include profiling via social media, use of wearable devices, video monitoring systems and monitoring of electronic communications via phone, email, internet browsing and application login. Hence, the volume of data collected on employees is immense and often relates to the strict private sphere. One can therefore expect GDPR employment data processing rules to be interpreted in a strict manner.
Consent insufficient for GDPR employment data processing
The EU top data protection body suggests that the traditional legal requirement of consent in personal data processing cannot legally justify the data processing due to the inherent dependency of the employee-employer relation. The legal ground for employee’s data collection should instead be sought in the performance of the employment contract such as for payment of salary purposes, other legal obligations such as tax calculation, or in the legitimate interest of the employer.
In the latter instance, the specific method chosen should be necessary for the accomplishment of the legitimate interest of the employer, and the processing should be proportionate to the business needs. Additionally, during the selection of the data processing technology it is important that the least invasive manner is chosen and that the data is stored for the minimum amount of time in line with the data minimisation principle. In any case, fair data processing requires transparency over the existence of monitoring as well as its purpose and any relevant information.
GDPR employee social media profiling
In addition to the general guidelines applicable in the working environment, the opinion includes several specific scenarios, one of them being profiling via social media accounts. According to the data protection working party, the profiling of prospective employees through their public social media profiles is not allowed unless the profile is related to business and not private purposes. Moreover, the applicant should have been previously informed about the process and the information should be deleted in the event of a negative decision.
Overall, given the ease of data collection of employees by advanced technological tools and the imbalance of the employment relation, significance should be given to the principles of transparency and proportionality. This leads to a fair balance between the legitimate interest of the employer, as well as the right to private life and the secrecy of communication of the employee.
This article is not about discrediting any GDPR practitioner courses, certifications, or people who are part of them. But emerging privacy profession and data protection professionals need to strive for credibility, starting with clear language.
Read more “‘GDPR practitioner’ ? I prefer ‘privacy professional’ instead”