To many the GDPR represents a “black hole” for businesses; a large unknown gravitational force capable of sucking in all aspects of business operations or alternatively so far away and unexplained that it can be ignored. However, with now only weeks to the new rules come into force the later view is no longer an option for companies wishing to be compliant before the implementation date of 25th May 2018.
While much of the hysteria has focused on marketing, IT security and privacy, HR departments process a large amount of personal data and with great personal data comes great company responsibility. From application through to dismissal (howsoever it occurs) a large amount of personal and sensitive data can be processed and held by HR. This can include:
|· Application Forms / CVs||· Equal opportunities data||· Salary / Bank details|
|· Performance data||· Disciplinary issues||· Grievance complaints|
|· Absence / medical data||· CCTV footage||· Emails / phone recordings|
As such in this article we will look at some of the crucial aspects of GDPR affecting Human Resource operations and highlight some key actions points.
Day One Readiness
Firstly, I think it is important to emphasise that the obligations are upon employers from day one (25th May 2018). So while I can understand the desire to ignore it employers who do so can be liable for substantive fines for non-compliance (up to 4% of annual worldwide turnover or €20 million – whichever is greater). This means that HR departments must sit up and take notice of the GDPR.
Action point: If it has not already been done the HR function should appoint someone who is responsible for GDPR compliance. That person should commence a full data audit of all Personal Data (any information relating to an identified or identifiable natural person) held within the department (whether electronically or in hard copy). The audit could be done by way of a spreadsheet and should, as a minimum, establish:
|· Type of data held||· The reason it was collected||· With whom it is shared|
|· Who has access to it||· The format it is held in||· How it is held|
|· Where if came from||· How long you have had it||· Where it is held|
Changes to the information provided to employees/prospective employees
As it stands employers, at the point information is first collected, should provide employees / prospective employees with a notice detailing why information is needed and how it will be processed. This is often contained within a Privacy or Fair Processing Notice. Under the GDPR this requirement will continue however the notice itself will need to include significantly more information.
Action Point: HR should look at drafting new Privacy Notices for both current staff and prospective employees. While keeping the notice concise, transparent and easily accessible employers will need to give information about how and for how long the data will be stored, likely recipients as well as information on the right to make a subject access request and to have data deleted or rectified. Here employers should be reviewing current privacy notices in advance of 25th May 2018.
Changes to Current Documents and Polices
The GDPR introduces a new standard for consent which limits the use of consent as a justification for processing data, particularly for employers. Under the GDPR consent must be freely given, specific, informed and an unambiguous indication of the individual’s wishes. While blanket data processing consents in contracts of employment have long been viewed as a less than ideal solution they are still utilised by many employers. Post GDPR it may be difficult for an employer to argue consent is freely given where the individual’s very employment may be dependent on the contract being accepted.
Action Point: Employers may not be able to rely on consent obtained prior to 25th May 2018 and going forward will need to justify processing employee data on that basis. Before that point employers should assess their current contracts and consider whether processing may be justified under a different ground. Here it may be easier to show processing is necessary; for the performance of the employment contract or for the purposes of the employer’s legitimate interests.
Further current data protection, criminal records and data retention polices will likely need to be updated to ensure they meet the new requirements in respect of GDPR.
New reporting requirements
The GDPR will bring with it, for better or worse, mandatory breach reporting. Meaning if there is a data breach, be it accident or unlawful action, the employer will have to notify the regulator without undue delay and where feasible within 72 hours of becoming aware of the breach. In making the report the employer must explain what happened, detail the potential numbers affected, likely consequences and any response measures taken.
Action Point: the business should look to develop procedures to help detect, report and investigate any personal data breach. That obligation may naturally fall upon the HR department (dependent on the nature and structure of the organisation).
Extended data subject rights
The GDPR will also introduce an enhanced right to erasure (the right to be forgotten); to require an employer to delete any personal data they may hold when it is no longer necessary to hold it or where the employee withdraws consent and there is no other ground to justify continued processing.
Further where a subject access request (SAR) has been made employers will no longer be able to impose a £10 administration fee rather the information must be provided without charge unless the request itself is manifestly unfounded or excessive. Additionally, were employers previously had 40 days to respond to the request they will now have to deal any SAR without undue delay and within one month.
Action Point: HR will have to update current procedures for dealing with subject access requests and expand the procedure to deal with the new rights created including the right to erasure.
The GDPR for the most part codifies best practice and HR departments need not fear it. However it does demand a shift in perspective making organisations take a proactive approach to the collection, use and retention of data.
Compliance is meant to be by design or default as such putting proper systems and methods of accountability in place now will be crucial to employers avoiding increased penalties.