After a two year countdown the implementation date for the General Data Protection Regulation (GDPR) (25 May 2018) is looming. Many organisations, particularly those which process large volumes of consumer data, will have been grappling with the challenges for months and reaching the final stages of their actions plans. For others, the next few weeks is likely to involve a period of intense activity to ensure that the organisation can demonstrate it is compliant with the new regime by the implementation date.
For HR professionals, GDPR housekeeping will focus on:
- Carrying out an audit of how the personal data of job applicants, employees and contractors is processed
- Removing consent clauses from employment contracts
- Updating data privacy notices
- Reviewing the contract terms with third parties such as payroll or benefits providers.
Whatever the state of compliance, the following top tips will be of relevance to all employers:
No need to panic
In a perfect world all employers will have implemented their GDPR action plan comfortably before 25 May 2018 to coincide with the date when the new obligations technically take effect. The reality is that for many employers this will be a work in progress, extending beyond the deadline. This should not cause undue concern: it is highly unlikely that the Information Commissioner's Office (ICO) will be interested in using its resources to pursue employers who are actively engaging with their GDPR obligations and taking steps to ensure that they are compliant. In this regard it is notable that the new Data Protection Bill (which implements the GDPR into UK legislation) is still making its way through parliament, and the ICO itself has not updated its Employment Practices Code to address changes under the GDPR (and it is unlikely to do so before the summer).
Focus on the key risk areas
All of the HR housekeeping steps outlined above are clearly important. However, where time or resource is limited, organisations would be well advised to focus on the key risk areas where enforcement action is more likely in the event of a breach. In terms of HR data processing, this includes the issue of data security and taking steps to understand and address any areas of vulnerability in relation to the disclosure or transmission of employee data (particularly information employees would regard as sensitive such as bank account details or home addresses). The recent case involving the data security breach at Morrisons Supermarket demonstrates how employers will remain liable for the actions for rogue employees. Another area of focus is getting prepared to respond to individuals exercising their new and enhanced rights under the GDPR. A key change is the reduction in the period for responding to a data subject access request from 40 days to one month, and the need to provide the data subject with additional information when delivering the response. The ICO is likely to follow up with employers who have not modified their processes to respond to these requests within the relevant timescales, potentially leading to further enquiries about the state of their GDPR compliance.
Be prepared to review your approach
An overarching objective of the GDPR is to move data protection higher up the priority list so that it is treated akin to other regulatory obligations. With this in mind, employers should be prepared to keep their processes and approach under review. As noted above, the ICO is yet to publish its views on how the GDPR impacts the processing of HR data in the form of an updated Employment Practices Code. Inevitably there will also be legal challenges before the courts on the interpretation of the many grey areas under GDPR and organisations will need to amend their processes as our understanding of the obligations evolves.
Ultimately the GDPR marks a step change in how employers deal with their processing of HR data and compliance will be an ongoing exercise which extends far beyond 25 May 2018.