The way businesses manage their staff leads to an abundance of personal data being obtained, processed, stored and shared on a daily basis and for a variety of purposes. With just over six months until the GDPR comes into force, HR practitioners are preparing for a fundamental change in data protection regulation.
In this article we look at some significant changes on the horizon, and some of the practical steps which HR practitioners can take to prepare before the GDPR comes into force on 25 May 2018.
Significant changes (increased rights for data subjects and greater responsibilities for data controllers) plus a much more severe penalty regime (as much as €20 million, or 4% of annual worldwide turnover, whichever is greater) equal many potential sleepless nights. There is no soft landing for the GDPR, and no transition period, meaning businesses will have to comply and be able to show they comply from the outset.
- The conditions for obtaining valid consent are becoming much stricter and, given the requirements, employers are unlikely to be able to obtain valid consent to process personal data from employees under the GDPR. Employers should be wary of relying on blanket consent wording in an employment contract.
- There are increased transparency obligations, with emphasis on ensuring that data subjects (which could include workers, consultants and interns as well as employees) know more about their rights.
- The GDPR gives data subjects greater rights. The right to access data (the subject access request) is here to stay with additional obligations, and there are other new and enhanced rights including a ‘right to be forgotten’, to data rectification and to object to data processing.
- A greater emphasis on privacy requirements is a hallmark of the GDPR, with the focus on privacy by design and default – privacy considerations must be built into systems (with the intention of making breaches, whether large or small, more unlikely).
- The GDPR imposes an obligation to notifythe appropriate regulator ( the Information Commissioner’s Office (the ICO), where the UK is lead regulator) in the event of breaches which are likely to give rise to a risk to data subjects’ rights – within 72 hours if feasible.
- A new principle of ‘accountability‘ is also introduced by the GDPR, requiring businesses to not only comply with the GDPR principles, but also to be able to demonstrate how they comply.
What sort of documentation and processes should HR practitioners consider as part of ensuring their businesses are prepared?
- Employment contracts: Under the GDPR, valid employee consent to processing will be difficult to obtain. Consent must be freely given, specific and informed, and blanket consent under an employment contract will not meet the new requirements. Employers will either need to rely on a legitimate interest to process the relevant data (thereby avoiding the need for consent) or separate and clear employee consent to specific processing activities (see Privacy Notices below). To avoid confusion about the basis for processing employee data and to minimise the risk that an employee alleges their personal data was being processed on the basis of invalid consent, employers may wish to consider removing these standard data protection clauses completely from their template contracts for all new staff.
- Handbooks and policies: Staff handbooks will need to be updated (and new policies introduced) to both guide staff in complying with the GDPR and to evidence the employer’s attempts to comply with the GDPR (going back to the accountability principle mentioned earlier).The obvious policy to update is the data protection policy. This should set out the data protection rights of employees, (including the right to be ‘forgotten’), the organisation’s processes for complying with its obligations (see Processes below), the employee’s role in this and the potential penalties for non-compliance.You should also consider policies regarding data retention and destruction, security incident response procedures and data subject access requests, to further support GDPR compliance.More broadly, you should also be looking at other policies where the GDPR may have a knock-on effect, including polices for the following:
- disciplinary and grievance (making sure it is clear to employees that data breaches will be regarded as disciplinary offences);
- social media;
- employing monitoring and CCTV use;
- information and IT security; and
- use of company devices and any user terms.
- Privacy notices and informing staff: Privacy notices will need to be produced for new and existing employees covering the processing of specific types of employee data. These notices must give employees information about what data is being processed, what the organisation will do with it, where it will be stored and the justification for why it is being processed. Implied consent will not be valid under the GDPR, so if you intend to use a privacy notice to seek consent to the processing, you will to consider how you will gain and record that consent. There is a clear difference between telling a person how you propose to use information, and getting their consent to process it. The safer approach may be to be transparent and rely on a legal basis other than consent. That said, in some circumstances employers will need formal consent, which will require a clear and unequivocal agreement from the individual to the processing in question (noting that the consent must also be freely given, specific and informed, and must be capable of withdrawal). Nil returns won’t be sufficient; requests for consent require employees to positively opt-in.These notices, whether consent is sought or not, will need to be reviewed regularly and refreshed if there are material changes to the data processing.
Organisations should regularly review and update their GDPR compliance procedures as necessary.
Necessary processes will include those to make it easy to correct data, to object to processing, and to the withdrawal of employee consent to data processing.. Any consent that an employee gives for their data to be processed needs to be able to be freely withdrawn at any stage, just as easily as it was given. Employees must be able to point out errors, and have these rectified quickly. This will mean establishing a process for them to do so (e.g. a clear and easily filled in form on an intranet page, which will be automatically sent to the right person within the organisation). The business must then take appropriate action following the withdrawal, objection or rectification request.
Additionally, clear policies should be put in place to handle the following.
- Notification to third parties of rectified personal staff data: If an employee informs you that any of their personal data is incorrect, you need to notify third parties (such as benefit providers) to correct it.
- Data portability: Employees have the right to ask that their personal data be shared with a third party, free of charge (without undue delay - usually within one month). Processes should be in place to ensure that employee personal data can be swiftly identified and exported in a common format that is easily readable.
- Record keeping: Your record keeping policy should include regular reviews of why data is kept so that it is not retained any longer than necessary.
- Internal data breach reporting: Organisations need internal procedures in the event of a data breach to ensure that it is identified and investigated promptly, that, an appropriate response plan is implemented and the internal breach register updated, in addition to a requirement to report it to to the regulator.
This can all seem overwhelming, but we recommend a review of what your business is doing now to pinpoint what steps need to be taken . Look at your internal procedures and practices to see what information is obtained, and how it is processed and stored. With whom is it shared, where does it go, and what are the grounds for doing so?
This approach should identify what the business is already doing well, as well as highlight risk areas Ultimately, it can form the basis of an action plan that will help to avoid 25 May 2018 arriving with a bump.