Chapter 4

Data and the world of work

IN BRIEF

– Data protection is a top priority in societies and economies where data have become the new currency. Data protection must be well-balanced so that -big- data can be used in a safe way and help to create business opportunities and growth;
– The General Data Protection Regulation (GDPR) responds to the need of uniform rules on data protection. Derogations must not undermine the European level playing field in data protection;
– The Commission, together with national Data Protection Authorities (DPA) should do more to make citizens, companies far more aware of GDPR and its requirements and benefits;
– The “GDPR one-stop-shop” must swiftly become fully operational; – The Commission is responsible for a consistent implementation of GDRP across the EU.

Big data is the new currency of the economy. The ability of companies to collect, analyse and use data provides opportunities for a new, innovative and more internationally competitive digital manufacturing industry and will bring benefits for consumers and workers as well as businesses

How GDPR supports industry

Arguably, legislation has not kept pace with technological progress and the development of big data.

With the entry into force of the GDPR, Europe is aiming to become the global leader in data protection. It puts data protection in Europe on a new footing, with uniform rules across Europe applied by any company operating within the EU or dealing with EU based businesses. It will provide individuals with greater control over their personal data and to simplify the regulatory environment for business, by overcoming the fragmented 28 national data protection regulations. Properly and safely managed data can help create new business opportunities and support growth in a sustainable way.

Employer - employee relationship

It is essential that individual employees give their informed consent for the collection, use and processing of personal data. In particular in companies where no formal worker representation exists.

The GDPR provides a framework for the collection and processing of personal data – elements of it are overly bureaucratic and not practicable.

The need for a level playing field also applies in the context of employment, in order to avoid a fragmentation of national regulations by the use of derogations.

GDPR rightly recognises the legitimate interests of multinational businesses in the international transfer of employee data, in particular for the purposes of centralised personnel administration. In principle, the same legitimate interests apply to nationally operating companies, mainly SME’s, with regard to the performance of the employment contract, e.g. personal data necessary for the payment of salaries, the management, planning and organisation of work, and safeguarding health and safety.

Employees’ interests are appropriately protected by the GDPR. Existing protections have now been enhanced (GDPR, Article 22), recognising that a delicate balance must be struck between the interests of employers and the data of their employees.

Legal certainty

Inter-connected, web-enabled devices (smartphones, desktops, tablets, vehicles or wearables) enable the tracking of employees. This calls for certainty in the processing of work related data which is in the legitimate interest of the company, while respecting the privacy of individual’s data. The Commission and the EU’s independent Article 29 Data Protection Working Party should look into developing solutions that help improve clarity in the application of GDPR and propose adjustments, which are likely to become necessary.

GDPR compass

All organisations located in Europe will have to comply with the General Data Protection Regulation (GDPR). This regulation imposes new, more extensive legal obligations on them. A lot of uncertainty existed on what and how the GDPR would have applied. Additionally, if a company had the intention to implement the regulation, where should it start? That is why Agoria, the Belgian sector organisation of the tech industry and a Ceemet member, developed an online tool, a compass.

In a highly complex topic, the aim of the GDPR Compass is to keep the process as accessible as possible. The process therefore:

  • Uses simple yes/no questions for the diagnosis of data processing;
  • Has pop-ups providing additional information on terminology and concepts;
  • Lists the key measures to be taken to comply with the new legislation;
  • Summarises the actions to be taken in a report that can is for internal use and/or for inspection by the auditors.

By guiding companies step-by-step to become GDPR compliant, industry is taken up the role as facilitator and explaining how compliance can be achieved, in an understandable language.

GDPR training

Ahead of the General Data Protection Regulations coming into force on 25 May 2018, EEF, the manufacturers’ organisation produced a series of national training seminars for manufacturers, backed up with company level advice and support. Given the scope of the subject matter and the potential impact on employers of non-compliance, the seminars were extremely well attended.

The different seminars came in a master class, a seminar on HR and a business compliance seminar. The aim of these seminars was to expand the practical GDPR knowledge of business leaders into their pan-business functions, including, finance, sales and marketing, procurement, IT and operations. And making sure they understand the direct impact of GDPR to business.

The overall objective was to ensure employers:

  • Gained hands on practical knowledge on the preparations required for GDPR Compliance;
  • Gained a comprehensive overview of the ‘must have’ documents required for GDPR compliance across various business units;
  • Accessed at first hand, to the advice, guidance and insight of our Data Protection experts;
  • Shared experiences and knowledge.

Where GDPR can be improved

GDPR could eventually create barriers for innovation, affecting start-ups or the development of companies as businesses today cannot easily predict what data they will need in the future.

The EU must critically scrutinize the appropriateness of this approach and be alive to developments in business which might be stifled by the GDPR.

The Commission and Member States’ DPAs should do more to make citizens and companies, far more aware of GDPR and its requirements and benefits. Currently there is much uncertainty, and little EU or member state level investment in familiarisation, affecting companies’ ability to invest in and finally comply with GDPR.

The Commission’s guidance to facilitate a direct and smooth application of GDPR of January 2018 is a small first step but left little time to have any effect before the GDPR came into force.

It is a positive development that the GDPR has introduced a basis for uniform and clear rules for all Member States. But derogations must be restricted and minimised so as to avoid a plethora of regulations that would undermine GDPR’s goal of creating uniform European rules.

Today there are many companies in the manufacturing and technology-based industries where data processing only plays a supporting role in the actual business, but which now have to comply with far-reaching and overly burdensome information requirements. This will put disproportionate costs on certain companies, rendering them less competitive.

Next steps

A consistent implementation of the GDPR across the EU by all member states is a major stepping stone for the completion of the Digital Single Market.

However, the regulation must continue to be reviewed to ensure they are fit for purpose and flexible enough to ensure it helps, rather than hinders. Always properly balancing business interests, and consumer and data subject interests.