On 25th May 2018, all companies in the UK will be expected to comply with new data protection rules, the General Data Protection Regulation (GDPR) if they hold and process personal data in relation to individuals such as clients, employees, or suppliers. This regulation will apply to all data held, including data collected prior to May 2018. Failure to comply with the new law leaves companies open to a fine of up to 20 million euros or 4% of a company’s annual turnover.
It will be therefore be crucial, in order to avoid large fines, to ensure compliance with the GDPR and to be able to demonstrate this compliance. Those that already comply with the Data Protection Act will need to make significant changes to their policy and practice in order to meet the more stringent requirements of the GDPR.
What is it?
In summary, the new law requires greater accountability of data controllers and places emphasis on the documentation necessary to demonstrate that accountability. Companies must document what data they hold, where it came from and who it is shared with. The GDPR will require companies to review their data protection policies and practices, review contracts in relation to data protection, and change the way they obtain consent to process data. Consent for personal data to be processed must be “freely given, specific, informed and unambiguous”.
The GDPR also provides individuals with greater power over data held by others in relation to them, including the power to have data deleted and to have it provided to them in a usable, manageable format. Subject access requests must be complied with within one month rather than the current 40 days. Employers will be required to carry out audits of employee personal data that they collect and process to ensure it meets the GDPR.
Barbulescu v Romania – right to private life v monitoring of employee communications
The recent case of Barbulescu v Romania application number 61496/08, heard in the Grand Chamber of the European Court of Human Rights, has considered and clarified the law in relation to the monitoring of employees’ private communications at work. Considerations of the court will be relevant to companies when developing their policies and practices in preparation for the GDPR.
Mr Barbulescu worked as an engineer in charge of sales at a private company in Romania for 3 years from August 2004. He created a Yahoo Messenger account to respond to client enquiries, having been asked to do so by his employer. His employer monitored his use of Yahoo Messenger over a one week period and he was dismissed as a result of his personal use of this account which was forbidden under company regulations.
Mr Barbulescu brought a case against his employer, arguing that his right to correspondence was violated and his dismissal was therefore ‘null and void’. On 7th December 2007 at first instance the county court dismissed Mr Barbulescu’s complaint. His appeal against this decision was dismissed by the Bucharest Court of Appeal on 17th June 2008.
The issue before the Grand Chamber was whether the employer’s decision to terminate Mr Barbulescu’s contract was based on a breach of his right to respect for his private life and correspondence, protected by article 8 of the European Convention of Human Rights. The court heard that transcripts of private messages accessed were used in proceedings in Romania, and that the contents of the communications included “very intimate subjects” (paragraph 44). They were also told that the employer had accessed Mr Barbulescu’s personal Yahoo Messenger account.
The Grand Chamber was satisfied that article 8 was engaged but ultimately found that there was no violation of article 8, taking into account the following considerations:
i. The scope of the complaint was limited to the monitoring of communications within the framework of disciplinary proceedings.
ii. Mr Barbulescu was able to raise his arguments related to the alleged breach of his private life before the domestic courts.
iii. The domestic courts attached particular importance to the fact that the employer accessed the Yahoo Messenger account in the belief it had contained professional messages, acting within its disciplinary powers.
iv. The content of the messages as set out in the transcripts were not a decisive element in the domestic court’s findings.
v. It is not unreasonable for an employer to want to verify that employees are completing their professional tasks during working hours.
vi. The employer’s monitoring was limited in scope and proportionate.
vii. Mr Barbulescu had not convincingly explained why he had used the Yahoo messenger account for personal purposes.
While not banning the monitoring of private communications, the considerations of the Grand Chamber above (paragraphs 55-61) should be borne in mind by companies when establishing policies and practices to comply with the GDPR.
The GDPR will apply in all EU member states from May 2018, and even though Brexit may prevent this from being a requirement in the UK in the future, all data controllers and processors must comply with this regulation until such a time comes.
The Information Commissioner’s Office (ICO) has produced a helpful 12-step guide to help companies to prepare for the change in law as well as many other documents and toolkits. The ICO is encouraging companies to prepare now for the impending change. It has also recently announced the establishment of a helpline for small companies to assist them in preparing for the new law.