The dust has largely settled from the various compliance exercises most companies – and their HR departments – went through last year to prepare for the General Data Protection Regulation (GDPR). Now that all businesses, hopefully, have processing registers, data breach registers, privacy notices and appropriate security measures, they might think their house is in order. But there are still some areas that many companies haven’t yet addressed.
Special category data
The GDPR’s domestic counterpart, the Data Protection Act 2018 (DPA), includes some oft-forgotten specific requirements you need to comply with when you use special category data to comply with, or exercise rights under, employment law, or for public interest reasons.
‘Special category data’ includes things like health information, so return-to-work processes (and most HR uses of health data) would be subject to these requirements. To use special category data, you need to both comply with one of the six legal bases set out in the GDPR – such as consent, legitimate interests or legal compliance – and also satisfy an additional condition for special category data – for HR teams, this will almost always be related to employment law.
Under the DPA, you need to have an ‘appropriate policy document’, which sets out your procedures for securing compliance with the data protection principles in relation to that data, and your policies regarding the retention and erasure of that data, together with an indication of how long it’s likely to be retained. Your employee privacy notice or – if applicable – your data protection policy are unlikely to deal with this specifically, so you’ll need to create something specific to your uses of data.
Your processing register (remember that enormous spreadsheet?) also needs some additions to deal with those special category data activities. You must include in the register for those activities, what condition is being relied on (eg compliance with employment law requirements), what legal basis is applicable (eg compliance with applicable law) and whether the data is being retained and erased in accordance with your appropriate policy document (and if not, why not). The ICO’s template register has columns for these purposes, and identifying the relevant information shouldn’t be a problem, but many companies still aren’t complying with this requirement.
These requirements might seem irritating, but if your HR team’s use of special category data ever does come under scrutiny, you’ll wish you had the documentation in place.
Even after all your policies have been double checked and signed off, and you’ve finally got everyone to attend some GDPR training, the job isn’t necessarily done. You need to continue monitoring your compliance. That includes things like testing security measures, reconfirming audits, and making sure your documentation and policies get updated if you change the way you do things. As well as scheduled tests, reviews or refreshers, remember to keep data protection and privacy in the back of your mind when discussing new projects, so that when someone suggests installing covert CCTV cameras, you can raise your hand and ask the dreaded question: ‘Is that GDPR-compliant?’
If you don’t have those measures in place, don’t panic too much. GDPR compliance is a continuing challenge. Raise these issues with whoever is responsible for data protection in the business and find a way forward that is achievable and realistic. If you’re the person responsible for data protection, ask for help. Find training courses and online resources (the ICO’s website is very useful, but can lack practical guidance at times) or take professional advice.
Elliot Fry is a senior associate at Cripps Pemberton Greenish