On 25 May 2018, the new EU General Data Protection Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the GDPR) will enter into force.
Given the scale of the task, many businesses have been working towards compliance for some time. During an initial stage you will have carried out a gap analysis against the GDPR readiness criteria, and then focused on remediating any gaps.
In addition to updating databases and technologies, it is also crucial to consider employees working directly with the data. Employees need to understand the consequences of the GDPR. If there are employees handling personal data and they don’t understand the GDPR, they could very well put the company at risk.
Here are some specific GDPR considerations that HR must know:
Modified data protection principles
1. Fair, lawful and transparent processing: an organisation must be more transparent with employees about their processing activities.
2. Purpose limitation: personal data collected for one purpose should not be used for a new, incompatible, purpose.
3. Data minimisation: an organisation should only process the personal data that it actually needs to process in order to achieve its processing purposes.
4. Accuracy: every reasonable step must be taken to ensure that personal data that are inaccurate are either erased or rectified without delay.
5. Storage limitation: personal data cannot be kept for longer than is necessary.
6. Accountability: controllers are responsible for, and must be able to demonstrate compliance with, the data protection principles.
Consent – no longer an option for HR data?
The requirements for obtaining consent are much stricter under the new GDPR regime:
• Consent must be freely given, specific, informed and unambiguous. Article 29 Working Party takes the view that employees can almost never give consent freely, due to the imbalance of power between employers and employees.
• Consent must be clearly distinguished from other matters, in an intelligible and accessible form, using clear and plain language.
• Consent may be withdrawn at any time and it must be as easy to withdraw consent as it was to give it in the first place.
There are a number of other grounds for lawful processing, including that processing is necessary for: (1) the purposes of the legitimate interests of the employer or a third party; (2) the performance of a contract that the employee is a party to (ie the employment contract); or (3) compliance with a legal obligation.
Enhanced rights for employees
The rights that data subjects currently enjoy have been significantly enhanced and extended under the GDPR, such as:
• With regard to the right to information: under the GDPR employees must be provided with much more detailed information about the personal data that their employers hold. Privacy notices must be transparent, intelligible and easily accessible.
• The GDPR also introduces a new right to have information erased (the so-called “right to be forgotten”) and a new right on data portability that will allow employees to request that certain personal data is transferred directly to a third party.
Employee engagement is key
Employees aid or undermine GDPR compliance. You need to make sure to involve them properly. Here are a few steps to consider:
(1) Give necessary information
First of all, make your employees aware of their rights and their ability to exercise them.
• Employees should be informed on how you will process their personal data (why, how, how long). Update privacy template clauses for new employment agreements, and provide specific privacy clauses for the different HR processes. Draw up a meaningful privacy notice for your employees and other workers.
• Employees should be able to access their data, to correct it, to request erasure or object to processing. Prepare a Data Subject Rights Request Form to assist your employees in exercising these rights
• Introduce or update your General Data Protection policy.
(2) Train your staff for the implementation of the GDPR
• Avoid accidental data breaches by giving training at regular intervals.
• Make sure employees have tools at their disposal to help establish GDPR compliant behaviour within your company. Handy flowcharts can help identify what they need to do, eg a response process flowchart or an individual rights flowchart. Other useful tools include policies on Complaint handling and on Data Security Breaches.