This article forms part of our HR and the GDPR series in which Shoosmiths employment and data protection experts offer practical advice for UK employers, ahead of the coming-into-force of the GPDR in May 2018.
The General Data Protection Regulation (the Regulation) represents the most significant shift in European data protection legislation since the Data Protection Directive (enacted in the UK through the Data Protection Act) of the late 1990's. The Regulation presents a very significant challenge to all data-driven units of modern business, not least human resources (HR).
In this article, we explore the legal and practical challenges the Regulation's requirements pose to HR.
The GDPR expands the scope of European data protection legislation in both subject matter and territorial application. For the first time data processors (parties who process personal information on behalf of a data controller) will find themselves required to meet direct regulatory obligations. In addition, the Regulation's intended jurisdiction is no longer restricted to EU-based organisations. The Regulation brings in scope any organisation selling to or monitoring the behaviour of EU citizens. Like much European law, the extent to which the Regulation will see successful enforcement outside of the EU is a developing area.
From a HR perspective, these provisions raise very significant considerations for global employers, and providers of virtual HR and HRIS products. For a multinational employer, detailed understanding of global data flows will become an increasingly key. This is especially critical where a centralised storage and database solution manages global (both EU and non-EU group company) HR data. Non-EU group companies, using a shared resource, may find themselves directly affected by the GDPR.
For outsourced HR and recruitment, and HR software and IS providers, the Regulation is set to present a new legal burden. At present, suppliers have, as data processors, enjoyed liability limited only to contractual arrangements with data controllers. Under the Regulation such processors will be required to comply directly with GDPR and by extension, face direct liability (and the same fine thresholds as data controllers under certain circumstances).
As we covered in our first article, regulatory fines under the GDPR are set to increase well beyond the ICO's current enforcement ceiling of £500,000, representing a fundamental shift in risk profile for UK organisations.
That said, the Regulation grants Data Protection Authorities significant discretion as to whether and the extent to which fines will be imposed on an organisation, in the event of a breach. In addition, the fine parameters are set against a two tier system to account for the comparative seriousness of different breaches.
From a HR perspective, it is critical for organisations to consider whether existing policies and procures lack GDPR compliance, especially where time limits may be a factor, e.g. in relation to breach notification (see below).
The Regulation mandates a host of required information, which a data controller must provide to an individual data subject at the point at which personal data is collected. Non-exhaustively, these include details of:
- the legal basis upon which personal data will be processed;
- how long personal data will be retained;
- if, and the extent to which, personal data will be transferred overseas, and, in the event that personal data will be transferred outside of the EEA, the appropriate safeguards in place to protect that data; and
- the mechanism by which an individual would make use of their data subject rights, including:
- how to make a subject access request; and
- how to request the deletion or rectification of personal data.
These mandatory requirements present employer challenges both in relation to the employee/employer relationship and in the context of job applicant data. Employers must consider whether existing employee and applicant notices meet GDPR requirements and consider how clarity and accessibility of notices can be ensured.
The Regulation significantly enhances the rights of data subjects, which will in turn present greater compliance obligations for employers. Areas which face significant change include:
- the information to be provided to data subjects, in response to a subject access request - we will address this is in detail later in the series.
- the Regulation mandates a more detailed set of information be provided to a data subject, particularly in relation to the purpose and means by which personal data is processed.
- data rectification rights (in circumstances in which data held about a data subject is inaccurate or incomplete) - in some respects rectification rights remain unchanged under the Regulation. However, data controllers will now face a mandatory obligation to notify other third parties in the event that data is amended in response to a data subject request. Employers should be prepared to notify any third parties to which employee data has been transferred and consider how they might implement procedures to action this obligation in practice; and
- the right to be forgotten - this new right presents a potentially significant practical challenge for employers, particularly where employee personal data is backed-up in somewhat inaccessible or complex systems. Much like rectification rights, a data subject's right to have their personal data deleted on request should prompt all employers to consider how this would be practically achieved.
The Regulation introduces dramatically enhanced requirements in relation to breach notification. In summary an organisation:
- must notify the relevant DPA within 72 hours of becoming aware of a breach, unless it can provide justification for a delay; and
- is required to notify data subjects affected by a breach directly, without undue delay, if the breach is likely to present a high risk to the individual's rights and freedoms. This is tempered by exceptions, such as where the personal data is encrypted. Under these limited circumstances, controllers may be spared the obligation to notify data subject directly.
For HR, this presents a two-fold challenge. Should a breach originate within HR itself, effective co-ordination between HR and an organisation's legal and/or compliance teams is likely to prove critical (especially when considering the tight timeframe for response). In addition, should the breach affect employee data and require data subject notification, HR is likely to play a key management role. Ensuring compliance will likely require a complete review of internal policies and procedures, with a particular focus on efficient internal communications.
A change HR is likely to feel very directly is in relation to the use of consent as grounds for processing employee personal data. As covered in our first article, non-specific consents to processing are unlikely to be considered valid under the GDPR. We will address the issue of consent later in the series.
Practical steps to compliance
The following are likely to prove critical risk management steps:
- comprehensive gap analysis and business wide data protection audits;
- a full review of internal and external policies, procedures, templates and information notices;
- consideration of consent alternatives; and
- consideration of (potentially mandatory) data protection officer appointment, and instruction of external legal/ compliance support.
Our next article will look at how conduct a gap analysis and a wider data protection audit.
The GDPR clearly represents a significant compliance hurdle. In a HR context, it is important to recognise that the Regulation alone does not comprise the complete set of rules with which employers must grapple. The GDPR expressly provides EU nation states with some scope to set out national rules, specifically in relation to HR-related data. Employer's must therefore maintain an awareness of developments at a national level, especially in relation to equality, recruitment and health and safety provisions.
Employers should however take some comfort that some element of harmonisation between EU data protection law and the UK's eventual domestic position will be desirable. Compliance with the GDPR's requirements, will likely be the most efficient way for organisations to futureproof.