HR teams have been working towards getting their processes ready to comply with the new data protection laws from 25 May 2018, when the GDPR comes into force, and while some businesses will be ready for the GDPR, many will not. For many businesses, this date will represent the early stages of a long compliance journey.
What should HR be doing now?
We set out below some of the key steps HR may need to focus on now, depending on what stage you are at on the journey to GDPR compliance.
It is important to take steps now as failure to comply with the GDPR has potentially very serious consequences. The ICO (the UK regulator) may issue fines of up to 4% of annual worldwide turnover or €20 million (whichever is higher). Individuals can also claim compensation to recover both material and non-material damage (such as distress).
The ICO has stressed that it will continue to take a proportionate and pragmatic approach when considering breaches of data protection rights and that enforcement would be a last resort. That said, if an employer persistently, deliberately or negligently flouts the law, it will impose hefty fines.
Keeping staff informed
By 25 May, staff should receive a privacy notice which sets out information about their personal data, including the purposes and legal basis for the data processing. Going forwards, HR should ensure processes are in place so that if any changes are made which mean that, for example, different categories of data are processed or the purpose of processing data changes, staff are informed about this in an updated privacy notice.
In the same way, updated privacy notices to reflect any changes should be given to job applicants.
Preparing and updating HR policies and procedures
In addition to updating employment contracts, consultancy agreements and the data protection policies, some HR procedures will need updating - for example those relating to recruitment and obtaining references and medical reports.
Individuals have a number of new rights, including the right to erasure (deletion of data in relation to them) and to restrict/object to processing. These rights will be triggered as a result of non-compliance with the GDPR data protection principles, which can include retaining data longer than necessary. HR will therefore need to have processes to record and act on such requests by job applicants and current and former staff.
Data security and training
Employers must notify the ICO of a data breach within 72 hours of becoming aware of it, unless it is unlikely to adversely impact on individuals' rights. If however the data breach is likely to have a significant impact on individuals' rights and freedoms, those individuals must also be notified promptly.
To reduce the risk of a data breach, it is important to educate staff about their data protection and security obligations – this also demonstrates that you have taken steps to ensure that staff process personal data lawfully.
Once you have an updated procedure for handling DSARs, and established procedures for dealing with the new rights (such as the right to erasure) you should arrange training for those individuals who will be dealing with DSARs etc. This will usually include HR, line managers and IT.
It is important to get the DSAR process right because, in addition to the financial penalties outlined above, the ICO may bring criminal proceedings against the company or its directors if steps have been taken to alter, erase, destroy or conceal data with the intention of preventing disclosure.
Personal data should be kept no longer than necessary for the purposes for which it was processed. Historically, data retention policies have often not been implemented as seriously as they will now need to be. The increased, and serious, sanctions for non-compliance should encourage employers to be stricter about managing data retention properly.
Another reason for employers to be mindful of poorly managed data retention is that this is likely to significantly increase the burden created by data subject access requests (DSARs) – a tool increasingly used by employees to find information processed about them. The publicity surrounding the GDPR means that employers may see a spike in requests from employees, former employees and job applicants to see the information that is held about them.
Changes to DSARs under the GDPR generally allow employers less time to comply and, potentially, a wider pool of data to be captured by such requests. That said, effective data cleansing should ensure that:
- the costs and time incurred in responding to DSARs are no greater than necessary, and
- DSARs do not flag wider non-compliance in relation to data that should have been deleted/destroyed.
Data cleansing systems must be in place to ensure that HR and all line managers etc who process staff personal data comply with the data retention policy. All staff personal data must be securely deleted/destroyed, or de-personalised, if there is no lawful basis for processing it.
Demonstrating compliance with data protection principles
Employers must be able to demonstrate compliance, if challenged by the ICO. This means that, throughout the design stage of any policy, process, product or service, employers must take data protection risks into account by:
- assessing and implementing appropriate and proportionate technical and organisational measures and procedures from the outset
- putting mechanisms in place to ensure that only personal data necessary for each specific purpose is processed, and
- completing a detailed Data Privacy Impact Assessment if carrying out "high risk" processing, such as CCTV monitoring or the processing of special category sensitive data (this may involve consulting with the ICO about whether risk mitigation is adequate).
In addition, there are new GDPR recordkeeping requirements. As part of demonstrating compliance, employers must maintain a record of their processing activities which must contain certain information, such as the purposes of processing, data retention and security measures. This record must be made available to the ICO on request.