The General Data Protection Regulation (GDPR) represents a series of extensive and (in part) complex changes that businesses will need to incorporate and keep under review from 25 May 2018. Implementation will require several parts of the business working together to ensure that all aspects of data storage and processing within the business is GDPR ready.
Failures could now result in significant financial penalties.
Given the scope of GDPR, businesses should be undertaking an impact assessment and drawing up a project plan which will require working groups that are cross departmental to address each aspect of data processing (i.e. IT, HR, Finance, Sales, Marketing).
From a HR and employee data perspective the issues that HR professionals will need to consider as part of the overall project plan will include:
- Employee Consent
Employers should no longer rely on the type of passive consent that is currently common in standard employment contracts and so should update new employment contract templates.
To process employee data, the employer should not rely on an employee’s blanket consent requirements, and instead rely on one of the other ‘other conditions for processing data’ such as ‘performance of a contract’, ‘legal obligation’ or ‘legitimate interests’.
Informed and proactive consent might be needed if the processing of employee data is required for a specific purpose other than the purpose of general employment.
- Update Policies and Procedures
Employer’s will need to review their Data Protection Policy (which will require important amendments) as well as wider policies that connect to the various aspects of data compliance including the Whistleblowing Policy, Code of Conduct, Electronic Communications Policy, IT Policy and Home Working Policy.
- Training Programme
Employees will need to understand GDPR and how it applies to them in practice. Delivery of the implementation will need to be supported by a comprehensive training programme that is ongoing, regularly updated and regularly attended by relevant staff.
- Breach Response
HR ought to contribute and be a part of the business’s breach response plan. Many data issues - such as data leaks - will commonly come to HR first as they are almost always related to employees in some way.
- Subject Access Requests
The rules on responding to subject access have changed and so HR need to familiarise themselves with the new regime in anticipation of receiving a request post May 2018. Key differences include:
- Employers will no longer be able to charge the £10 fee;
- Requests should be responded to "without delay" and at the latest within one month of receipt as opposed to the current 40 calendar days
Employers need to be transparent with employees and provide detailed information about the information it holds, how it is collected, how it is used and how it may be shared. Such information should be referenced in the employment contract and explained in further detail in a Privacy Notice.
- Data Protection Officer (DPO)
The GDPR only requires the appointment of a DPO in certain prescribed circumstances. Where these circumstances do not exist, we advise labelling the officer responsible for data protection as something else such as Data Protection Manager. If labelled a DPO in circumstances where a DPO is not required, the legal requirements and responsibilities that come with the DPO label will apply.
The Data Protection Bill
In addition to the implementation of the GDPR in May 2018, the Data Protection Bill (DPB) is currently working its way through the House of Commons. The DPB repeals the Data Protection Act 1998, updates data protection laws in the UK and supplements the GDPR.
Importantly for employers, the DPB provides exemptions to the prohibitions applied by the GDPR to processing special categories of personal data and criminal convictions data where certain conditions are met.