Plans for new data protection rules in the UK were confirmed in the Queen's Speech last month, with the aim of giving individuals more control over their personal data - replacing the existing Data Protection Act of 1998.
The new rules complement incoming EU legislation, the General Data Protection Regulation which comes into force in 2018.
Often, the responsibility of data protection falls incumbent on the IT department. In addition, many organisations either don't have formal accountability for privacy or include it within general legal or compliance teams.
However, if organisations fail to prepare for incoming legislation the potential fines for data breaches could be €20,000,000 or four per cent of global turnover - whichever is greater.
Helen Hall, Legal Director at DLA Piper, believes businesses must make it their priority to have a team accountable for ensuring their company is prepared. Speaking to HR Grapevine, she explains what HR teams need to do to prepare themselves for the forthcoming changes, especially when it comes to data. “For HR data, the situation is complex,” she says. “There is a lot of information, from multiple sources and often captured or circulated informally.”
Often the data is sensitive, on subjects such as race, criminal records and medical information, but the main GDPR issue with HR data will be for companies who mainly trade with other businesses, Hall reassures.
“To understand what can and cannot be done under GDPR, it is important to understand what businesses use HR data for and why they need it,” Hall explains. “To know whether an organisation can rely on legal compliance as a basis under GDPR for capturing and using information about employees, you have to understand what employment laws really require. That’s where HR professionals are the experts.”
Any organisations that deal with external data (for example, recruitment) will have to send a request for consent, complete with information on how long data will be stored for, whether it will be transferred, information on the right to make a subject access request and information on the right to have personal data deleted or rectified in certain instances. These rights to consent also cannot be littered with legalese jargon. According to The Information Commissioner’s office (ICO), privacy notices must be given in an intelligible and easily accessible and should be made available using the most appropriate mechanisms.
With HR data also covering sensitive information about employees, to ensure this complies with GDPR, the ICO advises firms to maintain records of their processing activities. This entails mapping what data is held, what it is used for, how and where it is stored and who has access to it. According to the ICO, this will help you to comply with the GDPR’s accountability principle, “which requires organisations to be able to show how they comply with the data protection principles.”
Another key aspect of the regulation is data minimisation, which states firms should only hold and process the data absolutely necessary for the completion of the activities for which that data was collected.
Hall adds that implementing a GDPR strategy “takes significant time and resources” with “many organisations requiring a degree of external expertise to support them which will add to the cost.”
HR Grapevine will be guiding you through GDPR requirements as new information emerges, detailing how HR departments should prepare for incoming changes.