GDPR: Where now for HR?
Following the implementation of the General Data Protection Regulation (GDPR) on 25 May 2018 a new focus on data privacy will require that the GDPR becomes embedded in the compliance framework for organisations.
The flurry of activity in ensuring policies and procedures were put in place needs to be matched with an energy to sustain compliance and avoid punitive sanctions that can now be applied. Whilst the Information Commissioner’s Office in the UK is still developing its own objectives of how it will take and enforce regulatory action there is still time to map out an organisational wide approach to good data protection governance. One area in particular that is impacted by GDPR changes is in the employment arena. Employers need to change their approach to workforce data collection and processing activities. HR related data protection operations need to take into account many factors and we have highlighted the following key changes required by the GDPR.
Is consent the right approach?
Many employers justify processing personal data on the basis of employee consent, usually contained in the contract of employment. This approach has been criticised because consent may not be freely given due to the power imbalance in the employer-employee relationship.
The GDPR requires more stringent and detailed conditions for the use of consent - it must be freely given, specific, informed and unambiguous. Consent obtained in the employment contract is unlikely to be effective. Employers are now likely to need to rely on one of the other legal grounds to process personal data, for example that it is necessary to fulfil a contractual or legal obligation.
Employee privacy notices
Under the GDPR, more detailed information is required in privacy notices. This includes retention periods for personal data, details of overseas data transfer, and information on the range of employee rights regarding data, such as subject access requests, deletion and rectification. This information must be concise, transparent, easily accessible and given in plain language. Employer’s privacy notices should be updated to comply with these more detailed requirements.
Data breach notification
The GDPR requires mandatory breach reporting. Where there has been a data breach, the employer will have to notify and provide certain information to the data protection authority within 72 hours. Where the breach poses a high risk to the rights and freedoms of the affected individuals, those individuals will also have to be notified. Businesses will be unable to successfully implement a data breach response process without training key personnel to recognise and address data breaches. Many organisations will have carried out a thorough review of policies and processes but staff awareness of these policies are critical to compliance.
Subject access requests
The reduction in the time limit for responding to a subject access request and the removal of the fee to make a request is likely to lead to more employees exercising their rights to understand the extent of the personal data being held by their employer and to see that personal data. Efficient processes and internal awareness of what can be accessed should drive a positive cultural change in data governance.
Protecting information given to third parties
Employee data is often processed by third party providers, such as payroll companies, insurers and cloud service providers. Staff will want to know not only where their data is sent but also how that third party is keeping data secure. Data processors have a duty to comply with the GDPR, with potential liability if they fail to do so. This requires a continual review of third party contracts to ensure the employer has built in protections for personal data transfers to external processing organisations.
HR decision making
Employers have used automated decision making in a number of areas to make decisions where otherwise a large amount of personal data would need to be assessed e.g. aptitude tests for recruitment which use pre-programmed algorithms and criteria. The GDPR gives employees the right not to be subjected to automated decision making where there is no human interaction in respect of the decision and therefore employers need to consider whether their automated decision making is solely automated without any human decision making element and if so consider alternative decision mechanisms.
Employers need to demonstrate compliance and this necessitates having appropriate policies in place, keeping records, and having clear lines of responsibility and training for staff.
Whilst it is too early to assess the attitudes and approaches to non-compliance that will be taken by the various EU Supervisory Authorities and the overarching European Data Protection Board, we do know that the pendulum of corporate and employee pressure to comply with the GDPR is moving quickly. If internal stakeholders are not informed and engaged in your compliance efforts, it is likely that work carried out so far will fail to achieve good data privacy outcomes.