The new GDPR rules represent a series of extensive and (in part) complex changes that businesses and organisations will need to incorporate and keep under review from May 2018. Implementation will require several parts of the business working together to ensure that all aspects of data storage and processing within the business or organisation is GDPR compliant.
Failures now come with significant financial penalty.
Given the scope of GDPR, businesses and organisations should be undertaking an impact assessment and drawing up a project plan which will require working groups that are cross departmental to address each aspect of data processing (i.e. IT, HR, Finance, Sales, Marketing).
From a HR and employee data perspective the issues that HR professionals will need to consider as part of the overall project plan will include:
1) Employee Consent
Employer's should no longer rely on the type of passive consent that is currently common in standard employment contracts and so should update new employment contract templates.
To process employee data, the employer should not rely on the new consent requirements and instead rely on the list of 'other conditions for processing data' where consent is not required.
Informed and proactive consent might be needed if the processing of employee data goes beyond the processing the basic personal data.
2) Update Policies and Procedures
Employer's will need to review their Data Protection Policy (which will require important amendments) as well as wider policies that connect to the various aspects of data compliance including (but not limited to) the Whistleblowing Policy, Code of Conduct, Electronic Communications Policy, IT Policy and Home Working Policy.
3) Training Programme
Employees will need to understand the GDPR and how it applies to them in practice. Delivery of the implementation will need to be supported by a comprehensive training programme that is ongoing, regularly updated and regularly attended by relevant staff.
4) Breach Response
HR ought to contribute and be a part of the business or organisation's breach response plan. Many data issues - such as data leaks - will commonly come to HR first as they are almost always related to employees in some way.
5) Subject Access Requests
The rules on responding to subject access have changed and so HR ought to familiarise themselves with the new regime in anticipation of receiving a request post May 2018.
6) Impact assessment and Project Plan
HR should be represented on the working groups tasked with identifying risk factors, impact and finalising the project plan.