< Back

Share |

Data protection for UK and EU HR teams – what lies ahead

March 2017

Data protection has become an ever-present issue for HR teams across the EU, impacting on everything from handling personnel information and processing payroll to dealing with sick notes and managing grievances.

The landscape of data protection regulation is about to change. The General Data Protection Regulation (GDPR) is looming on the horizon; the EU-US Privacy Shield plugged a gaping hole in the regulation of transatlantic data transfers, but could turn out to be a temporary solution; and then there is Brexit to contend with. It is clear there are choppy waters ahead. So where are we now, and how do HR teams begin to navigate what is to come?

General Data Protection Regulation

The GDPR will be the biggest change to EU data protection regulation in over 20 years, seeking to harmonise and modernise data protection laws in line with today's digital age. The GDPR will apply from 25 May 2018, and expands the scope of European data protection legislation, applying not only to EU companies but also to non-EU data controllers and data processers (to the extent they offer goods or services to data subjects in the EU or monitor data subjects' behaviour within the EU).

Further details of the impact for HR teams are set out in our other articles this month.

EU-US Privacy Shield

Global transfers of personal data are often part and parcel of processing employee information. Whether it is the movement of data between a parent and subsidiary in different jurisdictions, or the use of software which involves data being hosted on servers held overseas, this is a real issue for EU HR teams.

The data protection regime in the EU requires (and will continue to require under the GDPR) that wherever data is exported outside the EEA, steps are taken to ensure that the receiving country provides an adequate level of protection for the rights and freedoms of data subjects.

This is particularly relevant for data transfers to the US – a real issue given the volume of software and cloud services hosted on US servers.

Until 6 October 2015, the Safe Harbor regime was a data export solution which provided a framework for data transfers between the EU and US. It allowed US companies to self-certify that they ensured an adequate level of protection for the rights of data subjects under EU Directive.

Following the well-publicised claim by Maximillian Schrems about the processing of data by Facebook, the Court of Justice of the European Union declared Safe Harbour invalid.

After a period of uncertainty, the EU-US Privacy Shield was adopted by the European Commission on 12 July 2016. The new arrangement allows US-based organisations to apply for self-certification under the scheme with the US Department of Commerce.

Do HR teams need to do anything different?

It may seem that we have moved from one self-certifying scheme to another, but in spite of all the effort that has gone into making Privacy Shield more robust than Safe Harbor, it is likely to remain vulnerable to challenge. Until there is a definitive resolution, there are some important steps and precautions that EU HR teams should consider taking.

First, it is advisable for EU HR teams to consider alternatives to the Privacy Shield. One option is to ensure that agreements with US companies under which data is transferred include European Commission approved model contractual clauses. These clauses seek to provide an equivalent level of protection for data subjects to that in the EU. Even here there is some uncertainty, with question marks around the adequacy of these model clauses, but for the time being this remains a valid data export solution.

For intra-group transfers of data between the EU and US, another option is to adopt Binding Corporate Rules (BCRs). Again this provides a viable alternative and is worth considering, particularly where there are frequent transfers of data between EU and US HR and payroll teams. But beware, the adoption of BCRs can be a fairly cumbersome process.

Another alternative is to avoid the issue entirely by locating all personal data in the EU rather than the US. Data protection authorities in various EU Member States, notably Germany, have intensified their audits concerning companies’ data transfer compliance and have already applied sanctions and fines for non-compliance. Multi-national employers need to look at their international data transfers and adapt their strategies if they have not already done so.

How will HR data be affected by Brexit?

For the UK, it is inevitable that both the GDPR and Privacy Shield will be impacted by Brexit. Strictly speaking the impact will depend on whether the UK remains a member of the EEA although that is currently looking unlikely.

Remain in the EEA and it would be business as usual; leave and, despite the fact that the UK government has said it will implement the GDPR, there will be some major issues to face. For example, the 'one stop shop' mechanism which allows the majority of businesses to deal with a lead Supervisory Authority, may be unavailable to UK businesses with EU operations and the UK's regulator, the ICO, is unlikely to continue to play a role on the European Data Protection Board which will help deal with enforcement and guidance.

As for cross-border data flows, it is unclear whether or not the UK will be deemed to provide adequate protection to personal data flowing from the EU. The EU has already voiced concerns over the Investigatory Powers Act so adequacy is by no means a foregone conclusion despite the implementation of the GDPR. The UK may also need to adopt a new regime directly with the US in a similar way that Switzerland has done. Given the strengthened obligations under the GDPR to ensure the adequacy of data protection in international data transfers, this is a key issue which the government has already highlighted as a priority in its White Paper on leaving the European Union.

Data protection continues to present challenges to HR teams in the EU. Whatever the future holds, early preparation and review of existing practices will be essential in the run-up to application of the GDPR, not to mention Brexit.

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.

Data Protection for EU HR teams – what lies ahead
Colin Godfrey

Colin Godfrey

Colin looks at the most pressing issues facing UK and EU HR teams.

"Whatever the future holds, early preparation and review of existing practices will be essential in the run-up to application of the GDPR, not to mention Brexit."