This article is the penultimate one in our series on HR and the General Data Protection Regulation (GDPR); in it we look at some of the new concepts and principles that the GDPR creates and expands.
The GDPR seeks to change how organisations think about data protection and through principles such as privacy by design, transparency and accountability, it seeks to increase both the level of priority given to data protection by businesses and its integration into working practices on a day to day basis. No longer will data protection compliance be able to be left at the bottom of the list or treated as a 'nice to have' by employers.
This is the key change under the GDPR and largely the means by which it will drive compliance.
Accountability is implied under the Data Protection Act (DPA) but it is a significant provision under the GDPR. In essence, it means that employers will not just need to be compliant but be able to demonstrate and evidence that they are. Further, this will be an express responsibility.
Meeting the accountability requirements will need to be more than just having a 'paper shield' of well drafted policies. There will need to be technical and organisational measures in place to protect personal data, an internal audit system and regular spot checks on compliance.
As Elizabeth Denman (the Information Commissioner) has said 'The new legislation creates an onus on companies to understand the risks that they create for others, and to mitigate those risk'.
Privacy by Design
Data protection compliance in line with the GDPRs principles will need to be considered at all stages of an organisations operations; from the planning of a project, such as the implementation of new software or installing additional CCTV cameras, through to the documentation successful applicants need to compete during the recruitment process and how employee data will be assessed for destruction or retention at the end of the employment relationship.
Privacy Impact Assessments (PIAs) will be one tool that employers will need to utilise more and more in order to build privacy considerations into their systems, business model and procedures and also help them assist with meeting their accountability requirements. Employers should be striving to limit the risk to personal data in order to ensure compliance with the data protection principles, such as data minimisation, in all that they do.
In several cases impact assessments will be mandatory under the GDPR. Our next article will focus on when an impact assessment is needed and how employers should go about this.
It goes without saying that the accountability principle is going to require internal record keeping, however there are specific requirements.
Employers with fewer than 250 employees must keep suitable records of data processing activities that concern high risk processing. If an employer has more than 250 employees it will need to keep records of all its data processing activities.
High risk data processing activities are those that risk the rights and freedoms of data subjects and the processing of special categories of data (currently known as sensitive personal data under the DPA), as well as the processing of data relating to criminal convictions and offences.
These records need to be clear and easily accessible as the ICO (or any relevant supervisory authority) can require sight of them.
Within the records kept, employers must record certain minimum information, including:
- the purposes for which the processing of personal data takes place (for example, in summary, personal data is processed to support and manage employees including complying with the obligations of employees' contracts of employment);
- a description of the categories of individuals and categories of personal data (for example, employee, customer and supplier data and the types of data held in respect of each; differentiating between personal data and special categories of data);
- retention of data schedules (for example, setting out clearly how long particular types of data are held for and why and the associated audit and disposal processes); and
- a description of its technical and organisational security measures (for example, in brief, setting out the policies and procedures in place covering data safeguards and security systems such as CCTV, server security, password protection and encryption and how these are used).
The GDPR requires that personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. The DPA currently provides that it must be adequate, relevant and not excessive. As such the GDPR appears to go further that the current principle and narrow it.
What is necessary for the purpose, is key; employers will not be able to collect personal data because it might be useful or in case it is needed with no specific purpose having been identified. Employers who process vast amounts of data may find this particular challenging.
This again highlights why privacy by design will be so important for employers as well as the awareness and understanding of employees who manage personal data on day to day basis.
The systems and procedures that employers use and any new technology or software introduced once the GDPR is in force must only process personal data to extent that it is necessary for the purpose for which it was collected in the first place.
Another strand of data minimisation which already exists under the DPA and should be familiar to employers, is the need to limit access to personal data to only those necessary. Carrying out a PIA on systems and processes will help identify who needs to have access, how and why, and what safeguards will be put in place.