Overview of the rules
The General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA) came into force on 25 May 2018 and represents the biggest change to EU data protection laws in over three decades. Since the coming into force of the GDPR and DPA, there has been a sharp increase in complaints to regulators. The Information Commissioner’s Office received 6,281 breach notifications between 25 May and 3 July 2018. This is an increase of 160% on those received in the same period in 2017. Almost a year on from the implementation of GDPR and a few weeks (or possibly months) away from Brexit, now seems like a good time to reflect on the immediate challenges GDPR has presented Employers and HR teams with.
Personal information plays a key role in any business and as such the task of GDPR compliance is not one to be ignored. Due to the very nature of the work carried out by HR teams, unfortunately many of the GDPR required changes fall within their remit and are not one-time tasks.
What kind of data are we talking about?
The GDPR covers all personal data that your business collects and processes. Employers and their HR departments will frequently deal with employees, consultants, interns, summer students, volunteers and a host of other individuals; with each comes interviews, meeting notes, record keeping and your day to day admin brings processing payroll, pensions, dealing with grievances and so on. Your business will hold and process personal data as part of your role on a daily basis.
Key changes for HR departments and employers
So, to save you reading the entirety of the GDPR (all 260 pages!), we have highlighted some of the most significant changes that HR teams and employers have been required to get on board with when on-boarding new staff and maintaining employee relationships with existing staff:
- Transparency and Accountability– under the GDPR there is the introduction of a general requirement for organisations to be accountable about data processing and a greater emphasis on transparency. This impacts how an organisation requests data (ensuring the data subject is informed as to what data is being collected about them, for what purposes and how the data will be used i.e. privacy notices), processes data and responds to the rights of data subjects. Organisations need to keep up to date records to ensure they can demonstrate compliance with the GDPR and focus on being accountable and transparent about how they work with data.
- Employee rights – As data subjects, employees already had a bundle of rights pre-GDPR, the most important from the employer/HR perspective is probably the subject access right. These rights remain however they are enhanced under GDPR, bringing with it greater accountability and increased administration. The other rights of employees as data subjects include (1) the right to be informed; (2) the right to be forgotten (3) the right to data portability; and (4) the right to rectification and restriction. These additional rights have affected the current data management of HR teams (with an increase in subject access requests) and we have seen an increase in the issuing of privacy notices to employees and candidates. Such additional rights are likely to affect the current data management practices of HR teams;
- Data Breach Notification – Under the GDPR, businesses are now required to notify personal data breaches within 72 hours. This time limit means that businesses need to be able to identify what is a notifiable data breach and to have in place a policy to ensure that they are able to design their notification processes to meet the GDPR obligations;
- How you gather data about your employees - Pre-GDPR, employers had to inform all employees of the types of information they record and for what purposes. This obligation continues but in an enhanced form and has resulted in changes to data protection policies; statements in contracts of employment; and contracts with other workers.
- Subject Access Requests (SAR’s) – the major change around SAR’s brought in by the GDPR was that the time limit for responding to a SAR was shortened from 40 days under the Data Protection Act 1998 to one month under GDPR. The GDPR also makes it generally easier for data subjects to make SAR’s and employers, under GDPR, can no longer charge the £10 fee for dealing with SAR’s.
- Appointment of a Data Protection Officer (or “DPO”) - Organisations dealing in data whose core activities (i) involve the regular and systematic monitoring of data subjects on a large scale; or (ii) the large scale processing of special categories of data (meaning the likes of health data, political opinions, religious and racial and ethnic origin data), need to appoint a Data Protection Officer to advise your organisation in relation to your obligations under the GDPR. Given the many additional ongoing obligations under the GDPR and the DPA, many organisations have appointed someone in their organisation to oversee general compliance, despite not meeting the test around mandating a DPO.
- Record keeping. Through the increased focus on transparency and accountability there are now much tighter standards upon the nature of data employers can retain and for how long. Retention periods for records need to be identified and monitored and you are required to keep better records of your decision making process. Keeping improved records is key to demonstrating GDPR compliance and in particular, helping you with responding to any SAR.
- Privacy by design and PIAs: The GDPR advocates privacy by design - which means that employers are obliged to adopt an approach that promotes privacy and data protection compliance from the outset of any project or process. For example if your business outsources your pension administration requirements your HR team may carry out Privacy Impact Assessments at the beginning of any new process so that privacy is “baked” into the process from the beginning. So if you are thinking of changing or upgrading your payroll system or introducing a new HR management system for example; you must assess the privacy implications before implementation.
These are only a few of the changes employers have faced since GDPR came into force in May last year. We will highlight and discuss these in more detail during this mini-series.
Why should HR teams care?
Under the GDPR fines have been significantly increased (pre-GDPR the maximum fine that could be enforced by the ICO was £500k), and are levied on a two-tier basis:
- up to the greater of 2% annual worldwide turnover for the preceding financial year of the organisations or EUR 10 million – this is for breaches related to internal record keeping, data processor contracts, DPOs, data protection by design and default; or
- up to the greater of 4% annual worldwide turnover of preceding financial year or EUR 20 million for major breaches related to issues such as consent and data subjects’ rights.
What should HR teams do?
- GDPR remains a huge risk for organisations not yet compliant. Organisations must take stock of their policies and procedures to foster a compliance culture and avoid potentially detrimental fines. Below are some of the policies and procedures organisations may need to review and amend and some actions your organisation may need to take:
- Existing employee privacy notices, data protection policies and practices including: employment contracts, staff handbooks and employee policies.
- Procedures for handling SARs.
- Identify staff members (e.g. DPO) who require training on the changes and appoint someone to oversee compliance with the reforms.
- Know when DPIAs should be used, who should be involved and the process to be adopted.