New data protection rules: a step forward for privacy but with challenges for workers

digital data © Can Stock Photo / photochecker

(25 May 2018) The General Data Protection Regulations (GDPR) came into force on 25 May and apply to all organisations in the European Union that handle personal data.  Many workers in public services  deal with personal data  And the entry into force of the new regulations will involve changes to the way they work and uncertainty as to how their employers will implement the new rules. This will be especially the case where  employers have not prepared well, posing risks for workers if they wrongly interpret how to handle data or requests for access.

EPSU supports the GDPR and its purpose to bring the Data Protection Act into the 21st century. It seeks to protect people from the inappropriate or unauthorized sharing of their data, particularly where it is for commercial exploitation. It is positive that  citizens are getting control over the information others hold on them but it will only work if workers in  public services  are part of this change. It is for employers to provide staff with clear guidelines, suitable training and awareness, as well as additional support when required. Respect for privacy does require investment in information and communication technologies in public services to accompany this modernization.

The GDPR lacks clear guidelines for the workforce and respecially for those workers involved in the collection and use of data. Workers will be asked to demonstrate that their organisation is complying with the rules. EPSU underlines that employers have to inform employees. Workers need to be informed about their rights and responsibilities as data collectors and processors. And further on their rights as data subjects. We claim the right to be forgotten, and the right to restrict processing and the right to data portability.

With the GDPR come more scrutiny and sanctions. We do not agree that workers can be held personally liable for employers’ failures to ensure that policies are fully compliant with the regulations. For example, what happens when nursing home employee has their  laptop stolen It contained sensitive personal details, such as information on residents and employees but  was not encrypted as there were no clear instructions, programmes and training. The European Commission, the Member States,  National Data Protection Authorities, and individual employers should engage in dialogue with trade unions on how to consistently support and train workers to comply with the new regulation.  

For EPSU’s data privacy policy