If the consequences of using data opaquely – or potentially illegally – weren’t already clear, the acres of news coverage dedicated to the revelations surrounding Cambridge Analytica and Facebook have brought the matter home in the starkest fashion in recent weeks. But you don’t have to be a Silicon Valley tech giant, or even a data-driven business, to find yourself on the wrong side of the law.
The General Data Protection Regulation (GDPR), which comes into force on 25 May 2018, affects every company in the EU, regardless of size, sector or practice. There are no exceptions, and no transitional implementation period. Penalties for transgressions are tough: companies can be fined up to €20m or 4 per cent of annual global turnover, as well as facing potential criminal sanctions and compensation claims. And while much of the focus of the regulation is on customer data, there is plenty for HR to be concerned about, as the specifics of recruitment processes and the use of employee information are covered in detail.
The good news is that the GDPR need not necessitate a complete rethink of how a business recruits or engages its staff. But it does mean re-examining relevant policies or processes, against a tight timeline. So what does that mean in practice for HR professionals?
Privacy notices used with employees, for example, will almost certainly have to be revised. The GDPR includes a more detailed list of requirements that must be provided in a privacy notice than those required under the Data Protection Act 1998.
The requirements are stringent. Privacy notices should:
- be written in clear, transparent and easy-to-read language;
- detail exactly what data is collected, why it’s being collected and how long it will be stored for;
- cover all the new rights under the GDPR;
- require more rigorous monitoring of data, with details on how staff or clients report breaches and confirm deletion of data; and
- highlight when the right to be forgotten is not a right, because of another point of law.
Karen Holden, founder of A City Law Firm, suggests that a specific policy may be required for employees, detailing the use of their relevant information, with a separate document covering customers, clients and third parties. It is not enough to merely update privacy notices, though. Systems and processes need to ensure that any personal data collected is used in accordance with the notice.
Confidentiality clauses in an employee’s employment contract should also be refreshed, says Kristina Russell, UK sales manager at Kefron. “They should confirm measures are in place to protect the confidentiality and security of personal data both within the business and when a third-party service provider is retained,” she says. “This should also clarify when it is acceptable for employees to access and/or use personal data they may come into contact with at work, and should extend beyond the termination of the contract.”
If your new company data protection policy – and details of how you expect your employees to handle data or report breaches – is not dealt with in a staff handbook, it should also be added to employment contracts, says Holden, who points out that interns and volunteers are equally affected.
A data subject – including employees and recruitment candidates – has very specific rights under the GDPR, including:
- be informed (clear data protection notice);
- access (complying with subject access requests);
- rectification (ensuring the data is accurate; eg correcting a misspelt name);
- restrict processing (allow some processing, but not others);
- erase (the right to be forgotten);
- data portability (transferring data from one device to another, such as a Fitbit);
- object (not allow processing of data); and
- rights in relation to automated decision-making and profiling.
Therefore it is essential to know which of these is applicable to the data being processed. Rachael Eyre, risk, quality and compliance manager at Spratt Endicott Solicitors, says: “For example, if you are processing an employee’s data on the basis of consent or on legitimate interests as a controller and the employee asks you to delete the data, you have to comply.”
An employer’s existing legal responsibility to keep employee data safe is tightened even further under the GDPR, with greater emphasis on demonstrating that they have appropriate security measures in place. “This includes being able to show you know where the information is held, how it is used and who has access to it. The data covered has been extended to include data held on paper – so it’s important to ensure that documents aren’t left lying around, or filing cabinets unlocked,” says Sue Lingard, marketing director at Cezanne HR.
With many organisations now working with third parties to deliver services (such as benefits) to employees, and hosting their payroll or HR data in the cloud, it’s essential to ensure that employers are satisfied with the way they process, retain and secure employee data – and that the agreements they have in place with third-party providers have been updated to include the clauses required by the GDPR.
“Some major software suppliers have historically only ever archived data, rather than physically deleting it, for example,” adds Lingard. “Under the GDPR, that’s no longer appropriate, so check with your supplier how they propose to handle this.”
Experts advise a review of all data security, including firewalls, passwords, software and encryptions used to protect personal data. Organisations may choose to use pseudonymisation – a new technique under the GDPR that replaces or removes information that would otherwise enable a third party to identify an individual – to keep data secure and anonymous.
Retention of recruitment records should be reviewed, a retention policy put in place and the data only held for an appropriate amount of time, says Aaron & Partners employment partner Claire Brook, who adds: “Typically, the CV of an unsuccessful candidate may be kept for six to nine months in case another suitable role arises, following which it should be disposed of in a GDPR-compliant manner. This should be explained to candidates at the outset, on collection of this personal data.”
Under the GDPR, consent required to process data from workers, contractors or job candidates must be “freely given, specific, informed and unambiguous”, which means relying on silence, inactivity or pre-ticked boxes will not suffice.
Given the imbalance of power between employees and employers, says Holden, it will be difficult for consent to be freely given, meaning it is unlikely to provide a valid basis for processing HR data. Employers should therefore seek another ‘lawful purpose’ under the GDPR, which could be:
- legitimate interest of the data controller;
- necessity for the performance of a contract;
- compliance with a legal obligation;
- protecting the vital interests of the data subject or of another natural person; or
- necessity for the performance of a task carried out in the public interest.
Holden says: “For example, data for processing salaries and passing to HMRC will be a legitimate purpose by law. Holding a personnel file to protect you against an employment or litigation claim could be a legitimate purpose under contract. However, after the legitimate purpose timeframe wears away – say, after six years – this right to hold the data will be lost.”
Keystone Law employment lawyer Rachel Tozer warns that for employers to be able to process ‘special personal data’ (which includes information about health, political opinions, racial origin, sexual orientation, religion and biometrics) they need to be able to rely on one of the lawful purposes, as well as a ground for processing special personal data.
The two main grounds, she says, are that processing is necessary to comply with an employer’s obligation or to give an employee rights under employment law (which will apply, for example, to processing absence records for the purpose of paying statutory sick pay), or that processing is necessary to assess the working capacity of an employee (which would cover most health data held by employers).
Data subjects, says Brook, should be able to withdraw or refuse consent without being subject to any detriment; for example, an offer of employment cannot be made conditional on consent. Consent forms should be provided separately to a contract.
“If consent is being relied on, the consent form needs to confirm information including the type of data being collected, what it will be used for and the purpose for this processing,” adds Brook. “For example, an employer may not need to obtain explicit consent to use a photograph for security purposes, as they could rely on the legitimate business reason basis under the GDPR. If the employer then wishes to use this photograph for other purposes, such as marketing, explicit consent will need to be obtained.”
There are just weeks to go, which means the complexity of the regulation and the number of areas it covers can appear overwhelming. But employers panicking over how they use data should be assured that they can take systematic steps, even in the tightest timeframe, to audit their data use and put the right mechanisms in place.
And ultimately, processes are only one factor in making a success of the GDPR and avoiding those hefty fines. The rest comes down to the sort of cultural shifts HR is already well-versed at introducing. As Kim Lessley, director of solution management at SAP SuccessFactors, puts it: “The best systems and processes don’t make an organisation compliant – it’s the employee and how they use or don’t use those systems and processes.”
Key tips for conducting a GDPR compliance audit
Assemble the right team The compliance team should include anyone responsible for managing or processing personal information. This usually means those in charge of handling customer relationships, alongside the heads of marketing, HR, IT and legal. Appoint a data protection officer to head this team – they will have overall responsibility for GDPR compliance.
Study other compliance standards and frameworks
The GDPR lacks specific procedures and precise definitions, so use other compliance standards and frameworks, such as the Payment Card Industry Data Security Standard, as a starting point. They may have a different purpose, but the primary goal of data protection is the same.
Know your data
Classify the types of data you collect and store, advises Matt Middleton-Leal, EMEA general manager at cybersecurity firm Netwrix. Before you can begin to assess risks, you need to know which data is sensitive, where it resides and who has access to it.
Identify your unique risks
Know the risks specific to your organisation and classify them in terms of severity and likelihood using categories like high, moderate and low. Consider what valuable assets could be harmed by each risk.
Determine your risk/benefit ratio
The GDPR asks businesses to carefully weigh the benefits of processing data a certain way against the attendant risks. This means different organisations may score the same threat differently according to the chances of it occurring versus how effective mitigation measures might be. “The processing of personal data should be designed to serve mankind,” says the regulation. If this means storing more data, you can do so – but weigh up the need to process it against the risk of storing it.
Repeat risk assessment continuously
The GDPR requires risk assessment to be ongoing. This means constantly monitoring new data, discovering new risks, re-evaluating risk levels, taking mitigation action and updating the action plan.
CIPD Members can get a 50 per cent discount off HR-inform, which features more than 25 downloadable GDPR documents to ensure your business is fully compliant with the new legislation.