< Back

Share |

Key concepts for HR

March 2013


As the importance of personal freedom and information has grown, the EU has sought to update the Data Protection Directive of 1995 to create a more regularised EU regime.

The proposals contained in the draft EC data protection Regulation (Regulation) bring data protection to the fore once again for the HR professionals who will need to become familiar and comfortable with the new obligations and think ahead to what measures they will need to put in place.

Key issues to consider

stairsThere is no set implementation date for the Regulation though it is expected from 2014. In the interim, the Data Protection Act 1998 ("DPA") continues to apply.

There are certain steps which HR, and employers in general, can take to prepare for the Regulation including:

  • review and implement policies including on what data will be held. This may aid the ability of the company to erase data and meet the right to be forgotten;
  • ensure an easily searchable IT system to be able to handle any Subject Access Requests and ease the process of dealing with these;
  • consider whether a Data Protection Officer ("DPO") needs to be appointed and what documentation this will entail;
  • ensure training of staff on the new regime;
  • consider what data actually needs to be processed and its context; and
  • consider how it will meet the notification requirements.

Multinational organisations will need to consider the question of which "home authority" will be applicable in circumstances where, for example, a business'es HR function is centralised and based in the UK, but the corporate headquarters are in a different country. Could there be dual home authorities? Many such large scale organisations already have "data protection champions", but the new requirement for DPOs will need to be addressed. Given the focus on compliance, a cautious approach would be recommended until further clarity is provided.

Financial penalties

Companies should be aware of the sanctions available for breaches of the Regulation. The lowest sanction is a written warning where:

  • there was no commercial interest in the data processing: or
  • the company employs under 250 people and does not have personal data processing as its main activity.

moneyHigher sanctions range from a fine of €250,000 or 0.5% of annual worldwide turnover through a fine of €500,000 or 1% of annual worldwide turnover to a highest level fine of €1,000,000 or 2% of annual worldwide turnover for a variety of intentional or negligent offences.

In the interim, the Compensation and Sanction regime under the DPA remains in place.

Key Concepts for HR Teams

In addition to the compliance requirements, the Regulation impacts on the following key concepts, which are particularly relevant for HR purposes:

  • personal data;
  • consent; and
  • the right to be forgotten

Personal data

In terms of scope, under the Regulation, personal data will mean "any information relating to a data subject". Whilst this seems to provide continuity with the original regime, this will catch any information relating a living individual, whether anonymous or not, if it means that the individual can be identified.

It is, therefore, a challenge to see what, if any, HR data will be seen as non-personal data. In addition, this may expand the range of data which may be included as part of subject access requests. It may be that by turning personal data into anonymous information, that information can be held with a more limited risk of a data breach.

HR teams should consider how this can be achieved, using 'privacy by design' principles such as a clear anonymisation policy. Consideration and understanding of what constitutes personal data will be key to limiting breaches as well as to understanding when consent may be needed for transfer of information which can be re-identified.


Under the Regulations, consent is taken to mean that which is "any freely given, specific, informed and explicit … either by statement or clear affirmative action". An issue is whether this can ever truly be given, especially in the context of employment relationships.

In addition, the controller has the burden of proof to show that the consent has been given which needs to be explicit and specific to the matter in hand. Further, the data subject can withdraw consent at any point which would affect any subsequent data collection. The consent cannot be a legal basis for processing where there is a significant imbalance of power between the parties.

In practice, it is difficult to determine the meaning of 'significant imbalance' but HR and controllers should seek to limit risk by clearly stating the data to be collected and ensuring that unequivocal consent is given, for example, in the employment contract.

Right to be forgotten

The proposed right to be forgotten is combined with a right to erasure where:

  • the information is no longer necessary to the collection:
  • where the subject withdraws their consent or objects: or
  • where the processing breaches the Regulation.

Further rules could be specified by the Commission going forward.

lockThis will likely have its greatest impact on former employees as arguing that holding their data is necessary and that the erasure of the data should not occur without delay may be difficult.

However, where a company is involved in defending a claim or where it has to provide a full reference, for example, concerning what positions have been held by an ex-employee, it could be acceptable for HR to maintain the records.

As a general means of protection, HR should avoid keeping information where it is no longer necessary and should ensure a clear retention policy is in place which is communicated to individuals.

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.