Every comic book fan is familiar with the phrase, “With great power comes great responsibility” but with the introduction of GDPR, it’s more relevant than ever to businesses.
Data analytics has empowered HR to become strategic partners within modern business organisations, giving them advanced tools with which to coordinate talent management, resource allocation and strategic planning.
Yet having access to a wealth of valuable personal data also brings a responsibility to ensure that it is securely held and used in a responsible manner. The General Data Protection Regulation (GDPR) is the latest effort to offer increased rights to individuals and to increase the organisational obligations of any companies that have access to their data.
The incoming regulations look set to bring in sweeping changes to how organisations handle the personal data of individuals. This obviously has a major impact on employers and HR activities so it’s important to know how it will affect you. This short guide will give you an overview of how GDPR will affect HR leaders before and after it comes into effect.
What is the GDPR?
The GDPR is part of the EU Data Protection Regulation and it will replace the existing Data Protection Directive. The aim of the new regulation is to standardise and strengthen the rights of European citizens to data privacy. This means that any organisation that deals with people’s private data must meet new standards of transparency, security and accountability.
The onus is on data controllers (employers) and processors (HR) to identify potential compliance issues within their organisation, to analyse the private data that is currently being held by the organisation, and to review the consent procedures by which employees agree to the retention of their personal data.
What are the important dates to remember?
The GDPR comes into effect on May 25, 2018. The UK Government has confirmed that the regulations will apply in the UK as it will still be a member of the EU at that time. This gives HR leaders just under a year to prepare for the new regulations to take effect.
What counts as personal data?
Information related to an employee such as names, photos, bank details, email addresses, personal information or medical records qualifies as personal data.
Do I have to get an employee’s consent to retain personal data?
Employee consent is generally not considered to be “freely given” due to the power imbalance between the employee and their employer. Indeed, where consent is given “in the context of a written declaration which also concerns other matters, the request for consent must be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.”
Companies may process employee data on the basis that it is necessary under their employee contract or to fulfil an employer’s legitimate interests. However, the conditions for consent have been strengthened so consent that was obtained as part of the terms and conditions of employment contracts may no longer suffice.
Explicit consent may need to be given by employees for the retention and processing of sensitive personal data so it’s important to assess this between now and May 2018. The GDPR also means that ‘data subjects’ have the right to withdraw consent at any time.
Security responsibilities of employers and HR
Under the GDPR regulation, any data breach will need to be reported to the DPA within 72 hours, unless the data is encrypted or doesn’t identify individuals. This means you’ll need to review your current data breach reporting mechanisms. Employees who could potentially suffer harm from any breach will also need to be notified “without undue delay.”
It is important to review your security provisions and to consider any potential issues that could arise because of the way that you store data. Depending on the extent of the sensitive data you process, it may be necessary to appoint a Data Protection Officer to oversee data processing activities within your organisation.
What are the rights of my employees under GDPR?
Employees will be able to find out what HR-related personal data is being processed, why it is being processed and where it is being held. HR must also provide them with a free copy of any data that it holds upon request, so you must have a system in place that allows you to easily provide this information.
HR will also need to ensure that any personal data is accurate, complete and up to date under the Data Quality Principle. This could have implications if employees are utilising self-service software so a review of how this information is processed is advisable. HR also needs to notify employees why it is collecting their data and this data cannot be used for another purpose without notifying an employee.
The new legislation is designed to give individuals the right to access, correct and erase information that relates to them. So, your employees will be entitled to greater transparency in relation to their personal data and your reasons for retaining it.
What steps do I need to take?
The first step is to review your data protections processes and procedures and identify any areas of concern. Part of this process is to create an inventory of all the personal data that you hold and assess the reasons for its retention.
You’ll also need to reach out to your workforce and make them aware of the new rules and their rights. This will make it easier to obtain any consent you require to hold their sensitive data. You’ll need to look at how you acquire, obtain and record declarations of consent from your workforce.
It is also recommended that HR review employment contracts and documents to look at whether this meets the requirements for consent going forward.
Most importantly, you need to start getting ready now. It is vital that you have a secure system in place that allows you to adopt a transparent and compliant approach going forward. Depending on the HR system you use, this may be a much bigger job than you imagine so getting started early is the first step.
The GDPR also allows individual member states to implement more specific rules in relation to HR-related personal data meaning you’ll need to assess how this could impact you if you operate in more than one territory.
What will happen if I don’t comply with the new regulations?
The official GDPR website outlines the details of the new regulations and states that non-compliant organisations will face “heavy fines.” Your company could be fined up to 4 percent of your annual global turnover or €20 million (whichever is greater) for serious offences like not having obtained sufficient consent.
Smaller fines of 2 percent can be applied for failing to keep your records in order, failing to report a breach or not conducting impact assessments.
Senior Solutions Consultant
Victoria is a Senior Solutions Consultant Presales at CoreHR. She has worked in the HCM Software industry for over 13 years.