The General Data Protection Regulation (“GDPR” or “Regulation”) will come into force on 25th May 2018. As part of our HR strategy for 2017, I have been asked to start assessing our company’s compliance with the Regulation from a HR perspective. How do we handle it?
The GDPR will not generally require transposition into Irish law so if your business is involved in data processing of any sort, the Regulation will impact you directly from that date forward. Breach of the Regulation could cost your business dearly, including significant fines of up to €20m (or 4% of total annual global turnover, whichever is greater) for serious infringements so early planning is essential. The following list identifies some key steps which might form part of your HR strategy for 2017.
1. Become GDPR Aware
The GDPR will be more relevant to some areas of your business than others. For that reason, any move towards compliance with the Regulation should be done in consultation with key senior personnel in your company. Areas that may cause serious compliance problems should be identified from an early stage.
2. Establish a framework for accountability
The GDPR requires organisations to be in a position to demonstrate and document how it complies with the Regulation. To do this, an important first step for the HR team would be to make an inventory of all personal data it holds (of all workers, including agency workers and contractors) and to look at it under various headings, such as:
a) What personal data is held by your business? b) Why are you holding it? c) Where is it located? d) Where is it transferred from and to (including to third parties and cross-border)? e) How is it secured throughout its lifecycle? f) How long will you retain it?
This HR inventory tool should allow the team to update it for new hires and leavers as appropriate and to be reviewed on an ongoing basis.
3. Check your privacy notices and policies
Review all privacy notices as they relate to staff. In carrying out this review, identify gaps that exist between the level of data collection and data processing your business engages in, and how aware you have made staff (or customers or any service users), of this fact.
Under the GDPR, businesses will be required to give more information than what is currently required, such as stating the legal basis for processing the data, retention periods, the data subject’s right of complaint, and providing information about individual rights under the GDPR.
4. Check your current procedures to ensure they cover all the rights individuals have
It is important that your procedures in place are well equipped to deal with requests from staff. From an operational standpoint, you should pre-empt the impact that this will have on your organisation and should ask yourself:
a) How long would it take to locate the personal data from various locations where it might be stored? b) Are you in a position to correct and delete the data if requested? c) Who in your organisation will make these decisions? d) Can you respond to a data portability request, for example if someone asks for his personal data to be given to him electronically?
It is important to be aware that the GDPR will make it considerably easier for individuals to bring private claims against data controllers when their data privacy has been infringed, and allows data subjects who have suffered non-material damage as a result of an infringement to sue for compensation.
5. Plan how you will deal with data access requests
The logistical implications of having to deal with requests in a shorter timeframe (that is, reduced from 40 days to one month) and to provide additional information to the data subject will need to be factored into future planning for your organisation. Review how you currently deal with data access requests and amend the procedure so that it encompasses the additional information set out in the Regulation.
6. Review the legal bases relied upon for processing personal data
Consider what data processing you undertake and whether it is done by the consent of the data subject or due to a legitimate interest.
If you do rely on obtaining consent, review whether your documents and forms of consent are adequate and check that consents are freely given, specific, informed and unambiguous. Where consent is given “in the context of a written declaration which also concerns other matters, the request for consent must be presented in a manner which is clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language”. Also, employees must be informed in advance of providing their consent that they can withdraw their consent at any time. Check that you have a system in place to deal with this possibility.
7. Put a Data Breach Response Plan in place
Clear policies and procedures should be put in place to ensure that you can react quickly to any data breach and notify the relevant parties in time where required. Consider implementing a system to mitigate the damage that might result from a data breach and what measures your business will put in place to ensure it does not happen again. A robust plan will be crucial to ensuring the company does not receive a significant fine following a data breach. Ensure personnel are properly trained on how to implement the plan.
8. Integrate Data Protection Impact Assessments (“DPIA”) in your risk management processes
A DPIA is the process of systematically considering the potential that a project or initiative might have on the privacy of individuals. It will allow your business to identify potential privacy issues before they arise and come up with ways to mitigate them. They will be mandatory for some organisations and recommended as best practice for others.
9. Embrace Privacy by Design
Ensure that privacy is embedded into any new processing or product that is deployed by your HR team (and indeed across all business functions). This needs to be thought about early in the process to enable a structured assessment and systematic validation.
10. Consider hiring a Data Protection Officer (“DPO”)
Consider whether you will be required to designate a DPO. Even if you are not, depending on the scale and type of data processing engaged in by your company, it may be recommended as best practice. It will be important that the DPO is sufficiently independent from the business and is in a position to properly advise the company on its compliance with the GDPR.
Before Christmas, the Article 29 Working Party published a document “Guidelines on DPO’s” to assist organisations in understanding the function and role of a DPO. See links below.
11. Review your relationships with data processors
Consider whether your HR contractual documentation is adequate and addresses all the areas required under the GDPR.
12. Review the security of all personal data
A review of how all personal data is stored should be undertaken. Any measures that can be implemented to bolster the security of data should be completed. For example, you should review how employees’ personnel files are currently stored both electronically and in hard copy.
13. Cross-border transfers
With any international data transfers, including intra-group transfers, it will be important to ensure that you have a legitimate basis for transferring personal data to jurisdictions that are not recognised as having adequate data protection regulation. You may want to consider adopting binding corporate rules to facilitate intra-group transfers of data.
14. Identify your Lead Supervisory Authority
Map out where your organisation makes its most significant decisions about data processing. This will help identify your lead supervisory authority.
Lastly, the GDPR allows countries to provide for more specific rules in respect of the processing of employees’ personal data in the employment context. To date, the Government has indicated its intention to publish heads of bill in the coming weeks relating to the GDPR and for that reason we should keep this area of law under constant review.
There is some guidance already available for companies. Our own Data Protection Commissioner (“ODPC”) has published a document “The GDPR and You” recognising as the document states that the “the increased obligations that the GDPR…might cause some anxieties for business planners” (see link below to document).
She intends to publish more documents in the coming months. In addition to guidance on the hiring of DPO’s, the Article 29 Working Party has published a document on “Guidelines on the right to data portability” (see link below to document) and “Guidelines for identifying a controller or processor’s lead supervisory authority” (see link below to document) and it too has indicated its intention to publish further documents in the coming months.