GDPR: What HR professionals need to know
With the introduction of the General Data Protection Regulation (GDPR) fast approaching, organisations across the UK are preparing by reviewing and addressing many aspects of their data handling and processing. HR departments are set to be amongst the most significantly affected as they are likely to hold large amounts of personal data, including information about current and past employees and job applicants.
GDPR aims to standardise and strengthen the rights of European citizens to data privacy. It changes how businesses can collect, store and use information about their customers and employees, and affects every EU country. Although the UK is committed to leave the EU in March 2019, it is still subject to the legislation when it is introduced on 25th May.
What rights does GDPR give?
Broadly speaking, GDPR gives individuals more rights to know how information about them is gathered, used and protected, especially against the growing threat of cybercrime. Key areas include:
• Informed consent – companies need to tell individuals how and where their information is stored, and consent must be fully recorded
• Access – individuals must be able to see the data you have on them, and they must be able to access it for their own personal use
• Rectification – companies must allow people to update inaccurate information
• Removal – people have the right to have their data deleted, posing particular problems for HR departments who retain information such as disciplinary warnings given to employees
• Restricted use – individuals can allow data about them to be stored without giving consent for it to be shared
• Objection – everyone will have the right to opt out of data-driven marketing, or the use of their information for research.
Updating policies and procedures
Having reviewed the personal data that is held, identifying where it has come from and how it is shared, HR professionals will then need to review their Data Protection Policy to ensure it is GDPR-compliant. The updated policy will need to cover issues such as:
• What personal data is, and why data protection is so important
• How and why the organisation collects and uses personal data, how it is handled, stored and used
• The rights employees have regarding the use of their data, and how their information will be protected
• The penalties that apply for non-compliance with the regulations
• How any breaches will be handled, and the reporting process to be adopted.
Many organisations will have in place other policies that have data compliance implications, such as the Code of Conduct, IT policy, Electronic Communications policy and Home Working policy. Employees will need training in order to understand the nature of the GDPR changes, and how it will affect the way they operate and interact with customers and the general public. This information will need to be reflected in the organisation’s staff handbook.
Subject access requests (SARs) can be submitted by individuals who want to see a copy of all information an organisation holds about them, how it is being processed and what was its source. Under GDPR, this information must be provided free-of-charge and requests must be responded to within one month of receipt.
Recruitment issues and employment contracts
The recruitment process could also be affected. Individuals have the right not to be subjected to a decision based on an automated process unless they give their explicit consent. So those companies who use automated systems will need to gain consent, and be transparent about the process and the criteria applied.
At present, many employers gain consent to process employee data by including a clause in their employment contract. However, under GDPR, the rules are tightened, and consent will need to be explicit, informed and freely given. Employment contracts should be reviewed to ensure they meet the requirements of the legislation.
HR functions may also need to play their part in dealing with any data breaches that may occur. Organisations will be required to disclose any breach to the authorities within 72 hours. If the breach poses a high degree of risk, the business must also inform the people affected.
Clearly, there is much for HR professionals to consider before the implementation date in May. Our Employment team can help you ensure you’re properly prepared. Call us on 0330 221 8855, or contact us online.