Despite Brexit, as of 25 May 2018, the UK will look to implement the new General Data Protection Regulation (GDPR). Employment lawyers Rachel Tozer and Sonia Bhola outline the necessary next steps for HR teams.
The impending changes to privacy law will impact a range of business functions, requiring significant investment from HR professionals in particular. Combined, the following points of action provide a comprehensive checklist, guiding HR teams through the preparation process.
Establish who will be responsible for data protection compliance – particularly important within SMEs which don’t have a DPO.
Consent or other reason?
Assess whether the business wishes to take the significant risk of relying on consent for processing data or identify the legitimate interests of the employer which will be relied upon to process each type of data held about the employees.
Transfers outside of the EEA
In the context of any transfer of data outside of the EEA, again assess whether the business wishes to take the risk of relying on consent or, in the case of US organisations, the lower risk of relying on the Privacy Shield certification or whether to put in place binding corporate rules or intra-group Standard Contractual Clauses.
Rewrite internal information notices/data protection policies to include all the required new information (such as the reason relied on the processing, details of any transfers of data and the reasons for them, how such data will be protected once it’s transferred from the employer, how long information is kept, and an explanation of all of the individual rights set out above along with the right to complain to the DPO).
Work with IT to ensure that appropriate encryption technology is deployed on all company devices given out to employees.
Provide training to managers both about the employees’ new individual rights and about the new security obligations so they know that when one of their team loses their phone it’s not simply a matter of calling IT to remotely disconnect it and order a replacement device.
Provide training to employees on how to handle the personal data that they will have access to during their employment.
Data breach policy
Draw up a procedure for handling and reporting data breaches within the time frames required and for establishing who needs to be informed.
Update (or draft) retention and destruction policies.
Subject access policy
Update policies regarding subject access requests and ensure you have a procedure in place for responding in a timely manner.
Particularly when purchasing new HR software, consider the structure of the HR databases to ensure that they allow the employer to access the data to comply with the individual rights of access, restriction, objection and portability.
Automated decision making
If you use profiling, i.e. automated decision making, put in place a procedure for dealing with objections.
And remember, the ethos of the GDPR is not only about implementing controls, it is as much about measuring the effectiveness of those controls. Compliance alone will not be sufficient; employers will need to be able to demonstrate their compliance. Privacy by design is the buzz word and data protection authorities now expect organisations to ensure that privacy compliance activities are included in the business planning process.