What Human Resources need to know about GDPR

With the General Data Protection Regulations (GDPR), for Europe coming into force on 25th May 2018, stakeholders within all businesses will need be aware of the impact these new regulations are likely to have. As we have already explained, the regulations effectively standardise rules across the EU and the UK, as they have committed to observing GDPR even after Brexit.

In anticipation of the new regulations being enforced, we have prepared a two-part series on how the GDPR impact company’s Human Resources teams, with the first part focusing on the impact of GDPR on HR & Recruitment. This is, firstly, from a requirement perspective, and secondly, for the treatment of employees’ personal data.

GDPR will have its most significant effect in improving how businesses handle their customer data, which is why Amanda Williams from Sapphire Consulting says: “it will be the biggest change in data protection in decades which (if embraced) will build trust between brands and customers.” Nonetheless, much of GDPR will also apply to employee data. Employers need to be ready by reviewing their processes, and engaging with suppliers, and their employees.

Here are the main talking points:

Clarity for employees

For employees, transparency is always a good thing. With the new GDPR, knowing what data is being held by your company, where it is being stored, how it is being used, and who it is being used, by will now all be standard rights. This means that as an employer, you should be reviewing and documenting all stages of your employee lifecycle.

You can then ensure that processes about how personal data is used are reviewed with relevant team members, and that a summary of this made available to employees.

Providing what data you store

GDPR will give employees the right to ask for details of any and all personal information that you store on them. If you have catalogued the employee lifecycle accurately, this should be easy to pull together. This documentation process should also mean that you can standardise the format of responses, and reduce the chance of omissions.

An added responsibility (which is particularly important when dealing with ex-employees) is validating that the request actually comes from the ex-employee. This should be done using ‘reasonable means’, but given the broad definition, this should be reviewed and signed off internally.

Best practice: GDPR also suggests that, where possible, access to data stored should be made available via secure remote access. This will be time saving in the long term, but may require a significant project to bring together all relevant data points. See Recital 63 for more details.

Data rectification rights

You will also be required to amend data if asked to do so by a past or present employee. For companies with a centralised employee record system, this can be done simply. However, companies that have multiple areas for data capture and various departments using the data (like payroll and HR), will find this to be a time-consuming process of identifying all the data points well before they can be updated. Part of preparation for GDPR may well involve centralising this data.

Right to be forgotten

One of the central tenants of GDPR is that people, including employees, have the right to be forgotten, or to put this in simpler terms, have all their information removed form a company’s systems.

However, this right to be forgotten will not apply when a legal requirement to keep the data (such as for tax purposes) takes precedence. Understanding when the right to be forgotten is applicable needs to be reviewed, and a formal process for qualifying people in or out should be detailed.

Breach notification

One aspect of GDPR that has drawn the greatest attention are the fines for non-compliance, and fines are likely to be heaviest when a breach has taken place. One of the most important aspects of dealing with a breach is communicating the breach to the regulator, and to the individual(s) impacted.

This is likely to have a very significant impact on public perception of any company that suffers from a breach.

The best laid plans…

While IT and compliance teams will be more involved with locking down systems from a cyber security perspective, it is well known that most penetration of secure data occurs due to users’ (accidental or malicious) error. Thus, training of staff needs to be continuous, and effective.

This training also needs to be auditable, and signed off by the Data Protection Officer. It will likely fall to HR teams monitor this process.