For many years HR functions have been responsible for looking after a significant part of an organisation’s data – and we have become practised at ensuring that it is securely held and used in a responsible manner. However, the The General Data Protection Regulation (GDPR) is looming (25th May 2018) and it is likely to mean changes for even the best of best practice HR data managers!
What is GDPR and why should I be concerned about it?
The GDPR is part of the EU Data Protection Regulation and it will replace the existing Data Protection Directive. It aims to strengthen the rights of all European citizens to data privacy – and so any organisation that deals with people’s private data is obliged to meet the new standards of transparency, security and accountability.
GDPR will see the rights of individuals, including employees, and the obligations of any organisation that has access to their data increase. The UK may be facing Brexit, and Jersey has never been part of the EU in the first place, but organisations in the Channel Islands will still fall under the wide umbrella of this new legislation if they are offering goods or services to EU (including UK) citizens or monitoring their behaviour. The States of Jersey have, therefore, decided to incorporate GDPR into local law in line with the EU’s 25th May legislative timetable.
Failure to comply could mean significant fines for businesses, whatever their size and nature. As such, if you haven’t yet taken action to ensure your HR function is compliant, you really do need to start now!
What steps should your organisation be taking:
1. Awareness and engagement. Make sure that everyone is aware of the changes ahead and what they will mean for all parts of the business. And the Board/senior management really can’t duck this one as it is impossible for one person or function to be responsible for all of the organisation’s data management. Making clear the potential penalties of data breaches and non compliance with GDPR should help to capture senior management attention (up to 20m Euros or 4% of global annual turnover depending on the gravity and nature of the breach/failure)!
2. Data Protection Officer. You organisation should appoint someone as Data Protection Officer to be responsible for ensuring the whole organisation complies with GDPR (this is best practice, but may be mandatory depending on the nature of your business). You may want to give a person within the HR department a mini version of this role, to ensure your own department is in order too. The Data Protection Officer should be credible and well qualified to hold this role, and so it may mean that you will need to invest in their training.
3. Data Review.The whole organisation, including HR, should carry out a detailed and comprehensive review of:
- all the personal data that you hold and if any of it is ‘special category’, such as health data
- where is it from and where is it sent
- whether you actually need to hold and process this data (for example, is all of the personal data requested on your job application forms really necessary?). What is its purpose?
- how the data is processed and if it is compliant with GDPR
- how you will provide individuals with details about the processing of their data and their rights under GDPR.
4. Individual consent. Under GDPR, consent is a key part of ensuring that individuals have control and understanding of how their data is being used and processed. Consent must be freely given, specific, informed and unambiguous. As such, there must be a positive indication that agreement has been given and data managers must be able to evidence this.
5. Rights of access. Individuals’ right of access to data are enhanced and extended under GDPR. Individuals will have the right to correct inaccurate data, erase personal data (commonly known as ‘the right to be forgotten’), prevent direct marketing, control automated decision making and profiling (common in recruitment, for example) and to understand how data is transferred between controllers (eg from your company to a pension provider).
6. Access requests. You will need to be prepared for access requests and should have clear policies and procedures in place to deal with them, which means you must be clear on data retention periods and rights to have the data corrected. You will not usually be able to charge a fee for providing the data and a response to the request must be provided within 1 month.
7. Privacy notices. It is essential that you are clear and transparent regarding how individuals’ data will be processed (including who will be handling it) – at every point in the organisation where personal data is collected. This may be from clients, suppliers, contractors, employees or other stakeholders. From an HR perspective this will include all stages of the recruitment process, collecting and holding data on employees and ensuring that data provided to external providers, such as pension providers and training companies, is also correctly notified and handled. The privacy notice should include:
- Purpose and legal basis for processing
- Who will receive the data
- Countries outside of the EU that data might be transferred to and safeguards in place
- How long you will retain the data for
- The fact that the individual has rights and what these rights are, including their right to withdraw consent
- The contact details of the organisation’s Data Protection Officer
- The basis of the data provision – ie whether it us statutory, contractual or due to ‘legitimate interest’ (details must be provided to support the latter)
8. Forward planning (Privacy by Design & DPIAs). You must build into all project planning a mechanism to ensure that data protection is considered and documented early on in any projects and tasks involving data (and then regularly reviewed once established). It is good practice to carry out Data Protection Impact Assessments (DPIAs), and they may in fact be a requirement for any decisions and projects that could have a legal effect, the handling of ‘special category’ data (an example in HR could be health data) and in the monitoring of areas accessible to the public.
9. Data Breaches. Any data breaches should be reported to the Data Protection Authority within 72 hours of discovery and, where there is a high risk to rights, impacted individuals should be made aware of what has happened and what these risks are, eg identity theft.
Quick facts for HR professionals:
– Recruitment processes and procedures are likely to be a big area of risk and review for HR. How many recruiting managers have emails and CVs from past candidates in their inboxes and files that should have been deleted years ago?! Ensure that you are only requesting personal information that is really necessary and only holding it with the explicit consent of candidates for the agreed retention period. Make sure that all of your employees involved in the recruitment process understand this too.
– You will have the right to process employee data on the basis that you have a legitimate interest or that it is necessary under the employee’s contract. HOWEVER, given the significant extensions to individual rights and consent under GDPR, you may find that your current terms and conditions of consent as outlined in the contract of employment are no longer sufficient. As such, it is important to review your contracts of employment and employee data consent forms to ensure that they will stand up to GDPR. If there is any doubt that they do not, I would recommend that you gain clear consent in writing from current employees (including clarifying their rights, etc), and update your standard contract of employment/consent forms before 25th May.
– You will need to ensure that your security provisions for the holding and processing of data are secure and change the way that you store data if not, eg ensure personnel files are kept in a locked room or cupboard and electronic systems that process and hold data are safe and secure.
– Your own employees will have rights under GDPR, and are free to find out what, why and how personal data is being processed by HR. They may see their personal data and request that data is corrected or erased if it is not necessary to hold it. As such, a review of all the information being held on personnel files to ensure only necessary data, and data that is within the required retention period, is held (including disciplinaries, etc). Failure to maintain your records correctly could result in a fine of up to 2% of annual turnover….
Arbre Consulting will provide tailored support and advice to HR functions preparing for GDPR. Please do contact firstname.lastname@example.org to discuss how we can help you.