A new dawn or the makings of an additional headache? A new dawn or the makings of an additional headache?

A new dawn or the makings of an additional headache?
28 Feb 2016

After many months of negotiation, and three years on from the proposal for a revision, the new EU Regulations on Data Protection have been agreed, but is it completely different to the current regime?

There are now 100 articles within the Regulations (with 130 recitals to explain them); three times the amount of the previous act but the essence of it remains the same. The Regulations are there to protect the confidentiality of individuals in the EU. That said they are now more detailed and address the digital world; a blessing as it removes some of the uncertainty and potential for differing interpretations but a potential curse as Payroll now has a greater responsibility.

The current directive is not a regulation and each of the 28 states of the EU has interpreted it in their own way, leading to a complicated set of 28 national laws each of which needs to be considered when processing an individual’s data in any of those states. Although there is (what seems to be) a significant amount of time to move to the EU wide regulations from the national laws (the current directive will be formally repealed in January 2018), there is nothing to stop states moving over when they are ready, which could be any time.

Items still open for interpretation

There are some items that are still open to interpretation, which will need to be clarified before the Regulations will be officially published in spring this year:

• Legal linguistic teams need to review the text

• The Regulations will need to be adopted by the European Council

• The Regulations will need to be adopted by Parliament

In the months following the publication new acts will be delegated and implemented. A significant difference compared to the current Directive is whom it applies to.

The impact for Payroll

The new Regulations now apply to both controllers and processors in the EU. Historically Payroll has usually been classed as a processor because the data is normally controlled and stored elsewhere and so has not been responsible for registering with DPA authorities, or for ensuring the current Act is complied with.

And the impact of these new regulations is that Payroll is responsible for data they monitor or process. From a global perspective, this includes anyone processing data for EU subjects, even if they don’t have a base in a member state, which widens the scope of responsibility considerably.

The key definitions have not changed; the controller is responsible for compliance. However, they will have to be able to demonstrate compliance with the principles. This new part is aimed at ensuring controllers adopt internal processes and policies, for which they will be accountable. There will no longer be a requirement to file with regulators; the internal documentation will replace this requirement and unless a complaint is received, and it will be largely self-regulated.

Non-compliance and financial penalties

Fines will also change significantly and will be up to 4% of the worldwide income of the organisation, rather than a standard fine in the state concerned. This could take the fine into millions for larger organisations. The severity of the fine will be based on:

• The nature, gravity and duration of the breach

• Intent

• Mitigating actions

• Degree of responsibility and previous infringements

• Cooperation with the authority

• Categories of data affected

• Compliance with measures ordered

• Adherence to the code of conduct

• Other aggravating or mitigating factors

Principles of transferring data

The new rules confirm the existing principles around transferring data outside the EU (remembering that the safe harbour agreement with the US had been ruled unfit by the European Court of Justice but a new agreement was reached on 2nd February), as well as identifying countries and industries that are classed as ‘safe’. There will still be provisions to utilise Model Contract Clauses and Binding Corporate Rules for countries outside the EU. Also, Court or Tribunal judgements requesting information for countries outside the EU can only be answered if there is an agreement between that country and the EU.

Consent from data subjects

Consent from data subjects should be:

• Explicit and may not form part of a wider agreement (such as a contract of employment)

• Freely given

• Specific

• Informed

• Unambiguous

• By statement or clear affirmative action The burden of proof of the consent will sit with the data controller and implied consent will no longer applicable or allowed.

If the processing is necessary for the performance of duties then it would be difficult for the individual to refuse, which raises questions about whether the employee is actually free to make a decision at all where payroll is concerned if they want to be paid for their work! If you can’t process their data, you can’t process their pay…

Data subjects can still claim legitimate interests as a reason to restrict the data collected and processed, but it has to be specific e.g. a subject can insist you can only store their data, but not process it (remembering the example above is a contradiction to this). Member states can also maintain or introduce further conditions about data on health, as well as biometric and genetic data. Processing of data for subjects who are under 16 will now require parental consent. Member states can lower the age but not below 13 years. This takes into account that some states have already introduced this. Another responsibility of the controller is to make reasonable efforts to ensure consent has been obtained.

And the good news...

The good news for multi-country organisations is that the new Regulations allow you to deal with one Data Protection Authority (usually in the state where the majority of controlling or processing takes place) rather than having to register with, and deal with, up to 28 state Authorities and remembering their different interpretations.

The new rules stipulate that organisations only have 72 hours to notify authorities and the data subject(s) of a breach in Regulations, unless:

• It is unlikely to result in any risk or to affect the rights of the subject

• If the data has been encrypted

• If measures have been taken to render it unintelligible.

Failure to report in time will impact the value of the fine issued.

“It will be interesting to see how this particular change affects relationships and contracts with third party providers and consultants, as processors will still be held liable if a sub-processor breaks the regulations”

Further impacts for Payroll as a data processor

One of the key impacts for payroll is that data processors can have claims lodged directly against them, rather than with the controller. So they will be jointly liable for damages caused by the processing of data due to non-compliance however, the controller or processor are exempted if they can prove they were not responsible for the event that gave rise to the damage. It will be interesting to see how this particular change affects relationships and contracts with third party providers and consultants, as processors will still be held liable if a sub-processor breaks the regulations.

Action to take

Find out if your organisation has a data protection officer (DPO). Under the new rules this can be one, or a group of people, or even an external consultant or firm. The DPO (or group) should only report to the highest management level in the organisation to avoid influence and ensure that senior managers are aware of any potential issues.

It would be worthwhile setting up a group to deal with the upcoming changes including the DPO, a representative from payroll, a representative from HR and any other relevant departments who may collect or process data on individuals and this would include sales or anyone who looks after online accounts for shopping, banking, etc.

Identify all areas that control or process the data of EU subjects (whether the controller or processor is in the EU or not) and their location. Work through this list to ensure process and policy information about the controlling or processing of that information is fully documented and up to date.

It would be sensible to have a regular audit across the organisation to ensure the documents reflect what is happening in practice and also if any new departments are processes are caught by the Regulations. By auditing now, you can identify areas of weakness that can be addressed before the new regulations come into place.

You should write and agree policies and procedures specifically for checking compliance to the data protection rules including data encryption and new agreements for explicit consent to be given by the data subjects involved.

Keeping up to date

Keep up to date with the data protection changes. And also be look for updates on the changes to the safe harbour agreements with the US.

After many months of negotiation, and three years on from the proposal for a revision, the new EU Regulations on Data Protection have been agreed, but is it completely different to the current regime?

There are now 100 articles within the Regulations (with 130 recitals to explain them); three times the amount of the previous act but the essence of it remains the same. The Regulations are there to protect the confidentiality of individuals in the EU. That said they are now more detailed and address the digital world; a blessing as it removes some of the uncertainty and potential for differing interpretations but a potential curse as Payroll now has a greater responsibility.

The current directive is not a regulation and each of the 28 states of the EU has interpreted it in their own way, leading to a complicated set of 28 national laws each of which needs to be considered when processing an individual’s data in any of those states. Although there is (what seems to be) a significant amount of time to move to the EU wide regulations from the national laws (the current directive will be formally repealed in January 2018), there is nothing to stop states moving over when they are ready, which could be any time.

Items still open for interpretation

There are some items that are still open to interpretation, which will need to be clarified before the Regulations will be officially published in spring this year:

• Legal linguistic teams need to review the text

• The Regulations will need to be adopted by the European Council

• The Regulations will need to be adopted by Parliament

In the months following the publication new acts will be delegated and implemented. A significant difference compared to the current Directive is whom it applies to.

The impact for Payroll

The new Regulations now apply to both controllers and processors in the EU. Historically Payroll has usually been classed as a processor because the data is normally controlled and stored elsewhere and so has not been responsible for registering with DPA authorities, or for ensuring the current Act is complied with.

And the impact of these new regulations is that Payroll is responsible for data they monitor or process. From a global perspective, this includes anyone processing data for EU subjects, even if they don’t have a base in a member state, which widens the scope of responsibility considerably.

The key definitions have not changed; the controller is responsible for compliance. However, they will have to be able to demonstrate compliance with the principles. This new part is aimed at ensuring controllers adopt internal processes and policies, for which they will be accountable. There will no longer be a requirement to file with regulators; the internal documentation will replace this requirement and unless a complaint is received, and it will be largely self-regulated.

Non-compliance and financial penalties

Fines will also change significantly and will be up to 4% of the worldwide income of the organisation, rather than a standard fine in the state concerned. This could take the fine into millions for larger organisations. The severity of the fine will be based on:

• The nature, gravity and duration of the breach

• Intent

• Mitigating actions

• Degree of responsibility and previous infringements

• Cooperation with the authority

• Categories of data affected

• Compliance with measures ordered

• Adherence to the code of conduct

• Other aggravating or mitigating factors

Principles of transferring data

The new rules confirm the existing principles around transferring data outside the EU (remembering that the safe harbour agreement with the US had been ruled unfit by the European Court of Justice but a new agreement was reached on 2nd February), as well as identifying countries and industries that are classed as ‘safe’. There will still be provisions to utilise Model Contract Clauses and Binding Corporate Rules for countries outside the EU. Also, Court or Tribunal judgements requesting information for countries outside the EU can only be answered if there is an agreement between that country and the EU.

Consent from data subjects

Consent from data subjects should be:

• Explicit and may not form part of a wider agreement (such as a contract of employment)

• Freely given

• Specific

• Informed

• Unambiguous

• By statement or clear affirmative action The burden of proof of the consent will sit with the data controller and implied consent will no longer applicable or allowed.

If the processing is necessary for the performance of duties then it would be difficult for the individual to refuse, which raises questions about whether the employee is actually free to make a decision at all where payroll is concerned if they want to be paid for their work! If you can’t process their data, you can’t process their pay…

Data subjects can still claim legitimate interests as a reason to restrict the data collected and processed, but it has to be specific e.g. a subject can insist you can only store their data, but not process it (remembering the example above is a contradiction to this). Member states can also maintain or introduce further conditions about data on health, as well as biometric and genetic data. Processing of data for subjects who are under 16 will now require parental consent. Member states can lower the age but not below 13 years. This takes into account that some states have already introduced this. Another responsibility of the controller is to make reasonable efforts to ensure consent has been obtained.

And the good news...

The good news for multi-country organisations is that the new Regulations allow you to deal with one Data Protection Authority (usually in the state where the majority of controlling or processing takes place) rather than having to register with, and deal with, up to 28 state Authorities and remembering their different interpretations.

The new rules stipulate that organisations only have 72 hours to notify authorities and the data subject(s) of a breach in Regulations, unless:

• It is unlikely to result in any risk or to affect the rights of the subject

• If the data has been encrypted

• If measures have been taken to render it unintelligible.

Failure to report in time will impact the value of the fine issued.

“It will be interesting to see how this particular change affects relationships and contracts with third party providers and consultants, as processors will still be held liable if a sub-processor breaks the regulations”

Further impacts for Payroll as a data processor

One of the key impacts for payroll is that data processors can have claims lodged directly against them, rather than with the controller. So they will be jointly liable for damages caused by the processing of data due to non-compliance however, the controller or processor are exempted if they can prove they were not responsible for the event that gave rise to the damage. It will be interesting to see how this particular change affects relationships and contracts with third party providers and consultants, as processors will still be held liable if a sub-processor breaks the regulations.

Action to take

Find out if your organisation has a data protection officer (DPO). Under the new rules this can be one, or a group of people, or even an external consultant or firm. The DPO (or group) should only report to the highest management level in the organisation to avoid influence and ensure that senior managers are aware of any potential issues.

It would be worthwhile setting up a group to deal with the upcoming changes including the DPO, a representative from payroll, a representative from HR and any other relevant departments who may collect or process data on individuals and this would include sales or anyone who looks after online accounts for shopping, banking, etc.

Identify all areas that control or process the data of EU subjects (whether the controller or processor is in the EU or not) and their location. Work through this list to ensure process and policy information about the controlling or processing of that information is fully documented and up to date.

It would be sensible to have a regular audit across the organisation to ensure the documents reflect what is happening in practice and also if any new departments are processes are caught by the Regulations. By auditing now, you can identify areas of weakness that can be addressed before the new regulations come into place.

You should write and agree policies and procedures specifically for checking compliance to the data protection rules including data encryption and new agreements for explicit consent to be given by the data subjects involved.

Keeping up to date

Keep up to date with the data protection changes. And also be look for updates on the changes to the safe harbour agreements with the US.

Leave a Reply

All blog comments are checked prior to publishing