How will GDPR Affect HR?
16th April 2018
With the impending change to data protection law fast approaching, businesses throughout the European Union are working hard to ensure compliance with the number of aspects of the law that are about to change in May 2018.
The General Data Protection Regulations (GDPR) will put great emphasis on data processors and data controllers to share an equal amount of liability where data security is concerned.
So what exactly does this mean for the future of HR?
Key ways GDPR will Affect HR
GDPR is going to impose serious implications on HR and staff management. This is because companies will be required to adopt more flexible systems for their data.
It is important for businesses to understand the changes that will need to be made to accommodate compliance, and the best way to know exactly where you stand as a company is to fully audit your HR data. This will allow for an assessment of whether current HR related procedures and documents are (or are close to being) compliant under the GDPR.
The Data Protection Act 1998 has always required consent to be given before any form of data can be legally retained; however, new rules introduced by the GDPR see consent subject to much stricter thresholds. Once GDPR comes into play in May, consent will be required to be ‘freely given, specific, informed and unambiguous’ and ‘clearly distinguishable’ in order for personal information to be stored. This will mean that any documents requesting consent will need to be reviewed and reworded where applicable to ensure that there is no uncertainty or misunderstanding surrounding what data is being held.
Employers should consider that past employees may need to be contacted for consent in order for their information to remain on company records.
Further to this, staff must be made aware that they have the opportunity to withdraw their consent at any time. This means that the system used to store data will need to be easily accessible and can be edited without difficulty. It should be as easy to withdraw consent as it is to provide.
Seeing as the way in which consent is going to be understood moving forward, it is likely that the standard consent clauses which currently populate employee contracts will not be acceptable under the new rules, so standing contracts may need to be revised. Not only does this cover the employer in terms of GDPR compliance, but it also ensures that employees have been notified that they have to comply with the company’s policies and procedures in relation to data protection.
The Use of Data and How Long it can be Retained
It is important to consider the HR data that should be processed as this will be a key component of many employment related documents, and employers will be required to make their staff aware of exactly how they intend to store and use employee personal data. Companies will not be permitted to use this information in any other way than its intended purpose. Using this data for any purpose other than how it was intended will require further consent from the employee.
This will limit HR departments in they way they are able to process personal data.
The new rules under GDPR specify that personal data may only be retained for as long as it is needed. For example, if a temporary member of staff is taken on, their data can only be stored for as long as they are employed – unless they have otherwise expressly given their consent.
This is where a HR management system like Staff Squared would prove beneficial to a company, as it has been specifically designed to hold and control all of your staff data in one place.
Any sensitive personal information must be handled with the utmost care, and the best way to do that is to encrypt the data; however, this should not be limited to just HR records. Any data transmissions as well as emails should also be encrypted to ensure the protection of all data from cyber-attacks. By covering all grounds, full compliance is met.
Criminal Record Checks
GDPR makes it unlawful for employers to carry out Disclosure and Barring Service (DBS) checks unless the position that they are recruiting for is a role for which checks are authorised by law. For example, a role that involves working with vulnerable adults or children will require a DBS check.
The new regulations specify that any data breaches must be reported to the Information Commissioner’s Office (ICO) within seventy-two hours of the company becoming aware of them. This also applies to staff data; therefore employees must be made aware ‘without undue delay’ if their personal data has been stolen.
Things to Consider
These (and other) changes that will soon be put into play by the GDPR will have a massive impact on the structure and processes of a business.
HR departments should be undertaking careful review and structured planning to ensure that they are in full compliance of the new law.
Here are some of the things that HR departments should consider:
- Current data protection policies and procedures should be reviewed and amended where applicable (i.e. Data retention, Subject Access Requests [SAR], Personal Data Breach).
- Ensure that satisfactory consent has been appropriately collected to handle employee personal data.
- Think about the geographical scope of the business – GDPR sees the consistency of data protection rules throughout the EU, regardless of where the data is processed.
- Identify employees who will require training in light of the new reforms and consider whether all employees will require revised data protection training in the lead up to the date of implementation.
- Appoint one person to oversee compliance to the reforms.
Why it’s Important to get GDPR Right
As the applicability of the law on data protection is tightening, it goes without saying that the implications of being non-compliant will too.
If you are found to be non-compliant to the GDPR requirements you could face fines of up to €10 million, or 2% annual global turnover (whichever is higher) OR €20 million, or 4% annual global turnover (whichever is higher).
For more information on the action businesses should take to be compliant of the new reforms, see this GDPR for HR checklist. Alternatively, check out our blog post GDPR – Getting to grips with the new law to learn more about the General Data Protection Regulations.