On May 25 2018, the General Data Protection Regulation (the ‘GDPR’ ) will come into effect, affecting any organization that processes the personal data of individuals who are in the EU.
Organizations have less than a year to ensure that they are ready for GDPR compliance, or risk heavy fines and a damaged reputation.
The protection of personal data is a serious matter, and so GDPR has been introduced to strengthen and future-proof the ways in which individual data is protected.
As gatekeepers and processors of personal employee data, HR leaders and teams have a critical role to play. So here are eight things all HR and People leaders need to consider in order to be ready for GDPR.
1. Audit your existing approaches to managing people data and processes
All personal data must be processed lawfully; therefore, HR leaders – working with IT and legal departments – will need to review their existing processes for collecting, handling and protecting employee personal data. This includes:
- Checking the process for data protection and privacy impact assessments for employees
- Clarifying roles, responsibilities and processes around incident management, including documentation and reporting
- Checking that there are sufficient ‘version control’ and review processes in place for HR policies, to ensure that they are up-to-date and reflective of the GDPR
- Identifing all HR and People systems, and assessing their related risk based on existing data protection rules, such as ISO27001
- Considering the personal data collected and any necessary consent gathered at all stages of the employee journey for your entire workforce – from candidate to employee – to ensure that these meet the requirements of the GDPR
2. Work with your Data Protection Officer to ensure compliance
Some organizations will have to appoint a ‘Data Protection Officer’ (DPO) if they are processing sensitive personal data on a large scale. They will become one of HR’s most important partners in making the necessary preparations for GDPR.
Your DPO should have support from senior management, and be allowed access to relevant systems and processes to ensure that the protection of personal data is maintained. DPOs must have the necessary professional qualities and, in particular, have expert knowledge of data protection law and practices.
A DPO’s duties include advising on the GDPR, raising awareness of company policies, training staff involved in processing operations, and liaising with the data protection supervisory authorities.
3. Conslidate your people data to make protection easier
As with existing EU legislation, individuals have the right to ask organisations to grant them access to their personal data (a ‘subject access request’) and provide them with a copy. HR and People teams should ensure that there are systems in place that allow them to easily manage, access and retrieve this information.
Smarter and fewer HR applications will make this much easier. Cloud-based ‘software as a service’ (SaaS) appliations give you on-demand access that is secure and private. Having all your people data in one place enables you to have a single source of truth and record of data, making it easier to locate what you need, when you need it, and provide access to your employees when they have requested it.
4. Review existing consent your employees have previously given
Where information is to be used for purposes other than for the general employer-employee relationship, and cannot be said to be necessary for the performance of the employment contract (or legitimate business interests), employers may have to rely on an applicant’s or an employee’s consent to process personal data.
For example, this may come up when you wish to keep the details of unsuccessful applicants or leavers, with a view to keep them in mind for future vacancies.
As with the current legislation, consent must be freely given, specific and informed. However, the GDPR also requires consent to be clear and indicated by a statement or by affirmative action. Furthermore, it must be specific to the activities and must not be ‘bundled’ with other matters. This means that silence, pre-ticked boxes and inactivity will not amount to consent.
HR and People teams will need to review how any existing consents of applicants and employees were previously captured. You should consider using a separate form for this, rather than just including a clause in an employment contract.
Whilst you are not automatically required to refresh consents, if existing consents do not meet the GDPR standards, then unless you can establish another lawful basis for processing that data, you will have to revisit consent.
Individuals continue to have the right not be subjected to decisions based solely on an automated process (for example, when being assessed for a job), so employers will need to take care with this also.
5. Develop a clear communication strategy
The rules on how data is kept and used will become much more stringent and it is vital that HR and People teams become more transparent, communicating to employees exactly how their data is processed.
HR teams must understand their roles and responsibilities regarding data protection, and how they will handle any data breach or data loss.
Under the current law, employers are required to provide employees and job applicants with a privacy notice setting out certain information. Under the GDPR, employers will need to provide more detailed information, such as:
- How long data will be stored for
- If data will be transferred to other countries
- Information on the right to make a subject access request
- Information on the right to have personal data deleted or rectified in certain instances
The GDPR also requires even further information to be provided to individuals, e.g. the right to lodge a complaint with a supervisory authority, the period for which data will be stored, the right to withdraw consent and, in some cases, the right to data portability (to have data contained in electronic files returned to the individuals or sent direct to another organisation in a structured, commonly used and machine-readable format).
6. Use employee self-service to ensure transparency and accuracy
Self-service has long been a valuable tool to provide employees with simple on-demand access to the key information and tasks that they need.
Employers should consider using self-service to capture employee consent (where required), provide access to personal data records, provide the ability to request data changes or transfers, and any other updates your workforce might need. This will help HR and People teams deliver the transparency, accuracy and compliance required under the GDPR.
7. Report breaches in data immediately
HR and People teams, or whoever is responsible for how data is processed in the organization, will have to notify supervisory authorities (the Information Commissioner’s Office, in the UK for example) of personal data breaches within 72 hours, unless the data is encrypted or doesn’t identify individuals.
This means you’ll need to review your current data breach reporting mechanisms. Where there is a high risk of harm to employees, they will also need to be notified ‘without undue delay’.
It’s important to review your security provisions and to consider any potential issues that could arise because of the way that you store data currently.
8. Consider the implications in your other global offices
If you’re a fast-growing company with offices or empoyees in locations globally, the chances are that this will affect you in one way or another. GDPR applies to any organization worldwide that handles the personal data of individuals who are based in the EU, so there are likely implications for your entire global organization, not just those located in the EU member states.
Employees will have to be informed of their rights and how their personal data will be processed, and HR and People teams will need to consider how they orchestrate this at the global level, whilst maintaining compliance with other local laws.
The cost of non-compliance is high. Your company could be fined up to 4% of your annual global turnover or €20 million (whichever is greater) for serious offences like not meeting the basic principles for processing, including not having obtained any required consents, or for breach of an individual’s rights.
Smaller fines of 2% can be applied for failing to keep your records in order, failing to report a breach or failing to conduct privacy impact assessments where the processing is likely to result in a high risk to indiviudals. Equally, a data breach could result in a mistrust of your company, which could affect employee recruitment, engagement and retention. Are you ready for the GDPR?
Want to find out more? The Information Commissioner’s Office has published further guidance for companies on their website.
Here’s the legal bit. Please note that the information contained in this blog is for general guidance purposes only. It should not be taken for, nor is it intended as, legal advice.
We would like to stress that there is no substitute for customers making their own detailed investigations or seeking their own legal advice if they are unsure about the implications of the GDPR on their businesses.
While we have made every effort to ensure that the information provided in this blog is correct and up to date, Sage People makes no promises as to completeness or accuracy and the information is delivered on an ‘as is’ basis without any warranties, express or implied. Sage People will not accept any liability for errors or omissions and will not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising in contract, tort or otherwise from the use of or reliance on this information or from any action or decisions taken as a result of using this information