In a year of upheaval – from the introduction of the apprenticeship levy to the new gender pay reporting requirements – there is one regulation that seems to have snuck under the radar. But not for much longer. The General Data Protection Regulation (GDPR) comes into force on 25 May, introducing a seismic shift in the way any company with clients or workers in the EU collects, stores, manages and uses personal data – and inflicting eye-watering fines of up to 4 per cent of annual turnover on anyone in breach.
The specific requirement in the regulation means employers need to process personal data: lawfully, in a fair and transparent manner; only as specified and for legitimate reasons; which is relevant and necessary; accurately and ensuring it is up-to-date; for no longer than is necessary; and securely.
Personal data includes anything that can be used to identify an individual, such as location, genetic and biometric data such as facial recognition and fingerprinting.
One of the main changes affecting HR teams is the consents required from workers, contractors, job candidates and others whose data they handle. Consent must be ‘freely given, specific, informed and unambiguous’ – meaning pre-ticked boxes won’t suffice – and consent for each purpose must be obtained.
The GDPR’s consent requirements scupper the long-term assumption that the processing of HR data can be done by reference to consent in the employment contract, largely because the imbalance of power in an employer-employee relationship means it is questionable that consent is ‘freely given’.
There are, however, other options available. “Employers can claim it is necessary for the performance of a contract (the processing of the employee’s bank details and personal data for the purposes of paying the employee), or compliance with a legal obligation (such as checking that a successful candidate has the right to work in the UK),” says Michelle Morgan, senior associate at law firm Gardner Leader.
There are also different lawful conditions for processing sensitive personal data (ie health, race or ethnicity, and trade union membership), says Shoosmiths employment partner Gwynneth Tan: “These include: compliance with employment law; to defend legal claims; for occupational medicine; and to assess an employee’s ability to work.”
When carrying out due diligence such as immigration checks, HR needs to make clear what the legal basis is to process personal data, how long the data will be retained and whether it will be transferred overseas. “HR should obtain consent from the employee or interviewees and ensure there is a record of how and when consent was given,” says Ben Power, senior partner at Springhouse Solicitors.
Data subjects can object to processing unless the controller shows compelling legitimate grounds for it, and data handlers must erase personal data without undue delay on request where: it is no longer necessary for the purposes collected; the person withdraws consent; or the person objects to data processing.
HR teams need to rethink how they approach data retention, ensuring increased understanding of what information is needed for, for how long it is needed and how systems can be adapted to help drive regular cleansing of unneeded or excess data, says CMS employment partner Alison Woods.
HR must also ensure the core GDPR principles are embedded into the team’s approach to processing the personal data of their workforce, says Tan: “This will include communicating privacy notices to job candidates and the workforce, adding controller-processor clauses to third-party agreements, implementing effective systems to support compliance measures and introducing a training programme to educate staff on their rights and obligations.”
A blanket policy of asking employees for details of criminal convictions to be disclosed when they join the business is also unlikely to be acceptable from 25 May, she adds.
Most public authorities and those that process certain data in a large-scale, regular manner as part of their core activities must appoint a data protection officer (DPO), to oversee compliance with the GDPR, says Power. “The DPO must have professional experience and expert knowledge of data protection laws and practices as they will be the first point of contact in respect of data protection matters,” he explains.
Personal data breaches must be reported to the supervisory authority within 72 hours where feasible or ‘without undue delay’ if the breach is likely to result in a risk to the rights and freedoms of individuals.
GDPR compliance is not solely an HR issue and other departments should share the load, says Woods: “Where HR exports data to other businesses to process (for example, payroll providers) will it be HR or the supply chain that reviews the contractual arrangements for this? Who is going to ‘own’ subject access – will this be HR, legal or a combined or alternative approach?”
She adds that while most HR teams will be able to cope with matters such as issuing privacy notices and updating policies, what will take more work – and require management buy-in – is a change of attitude towards the importance of these issues.
“Many breaches and exposure to liability will come from human error,” says Woods. “Time taken by HR ensuring their team and the wider business truly understand – through training, clear messaging, etc – the obligations in place, will be time well spent.”
How to get the GDPR right
- Appoint a DPO or choose someone to oversee GDPR compliance.
- Try to find lawful grounds for processing other than consent, and take care over processing sensitive personal data like health, ethnicity and trade union membership.
- Update privacy notices and make sure these are communicated clearly.
- Set up regular GDPR training for all employees.
- Take time to understand the key requirements and create a manageable set of actions.