Many organisations, particularly those that process large volumes of consumer data, will have been grappling with the challenges for months and reaching the final stages of their actions plans.
For others, the next few weeks are likely to involve a period of intense activity to ensure that their business can demonstrate that it is compliant with the new GDPR regime by the time it’s implemented on 25 May 2018.
For HR professionals, GDPR housekeeping should focus on:
- carrying out an audit of how the personal data of job applicants, employees and contractors is processed;
- removing consent clauses from employment contracts;
- updating data privacy notices; and
- reviewing the contract terms with third parties, such as payroll or benefits providers.
Whatever the state of compliance, these practical tips will be of relevance to all employers:
No need to panic
In a perfect world, all companies will have implemented their GDPR action plan comfortably before 25 May to coincide with the date when the new obligations technically take effect. The reality is that for many employers this will be a work in progress, extending beyond the deadline. This should not cause undue concern; it is highly unlikely that the Information Commissioner's Office (ICO) will be interested in using its resources to pursue businesses that are actively engaging with their GDPR obligations and taking steps to ensure they are compliant.
In this regard, it is notable that the new data protection bill (which implements the GDPR into UK legislation) is still making its way through parliament, and the ICO itself has not updated its employment practices code to address changes under the GDPR and it is unlikely to do so before the summer.
Focus on key risk areas
The HR housekeeping steps outlined above are clearly important. However, where time or resource is limited, organisations should focus on the key risk areas where enforcement action is more likely in the event of a breach.
In terms of HR data processing, this includes the issue of data security and taking steps to understand and address any areas of vulnerability in relation to the disclosure or transmission of staff data (particularly information employees would regard as sensitive, such as their bank account details or home address). The recent case involving the data security breach at supermarket Morrisons demonstrates how employers will remain liable for the actions of rogue employees.
It’s also wise to get prepared to respond to individuals exercising their new and enhanced rights under the GDPR. Key changes are the reduction in the period for responding to a data subject access request from 40 days to one month, and the need to provide the data subject with additional information when delivering the response.
The ICO is likely to follow up with employers that have not modified their processes to respond to these requests within the relevant timescales, potentially leading to further enquiries about the state of their GDPR compliance.
Be prepared to review your approach
An overarching objective of the GDPR is to move data protection higher up the priority list so that it is treated akin to other regulatory obligations. With this in mind, companies should be prepared to keep their processes and approach under review. As already noted, the ICO is yet to publish its views on how the GDPR affects the processing of HR data in the form of an updated employment practices code.
Inevitably, there will be legal challenges coming before the courts on the interpretation of the many grey areas of the GDPR, and organisations will need to amend their processes as our understanding of the obligations evolves.
Ultimately, the GDPR marks a real step change in how employers process their HR data, and compliance will be an ongoing exercise that undoubtedly extends far beyond 25 May.
Geetika Bansal is a senior associate, and Khurram Shamsee a partner, in the employment and pensions group at DAC Beachcroft