Act Now for HR and the GDPR!

If you’re not GDPR (General Data Protection Regulation) compliant by 25th May 2018, you could be fined up to €20 Million Euros or 4% of annual company turnover, whichever is the greater.

Don’t panic the ICO (Information Commissioner’s Office ) have said that initially there will be a light touch, but you do need to show you have taken steps to comply with the GDPR regulations. Remember it will not be affected by the current Brexit discussions – it will happen whether we are in or out. It will require some work to become GDPR compliant, so, don’t delay start now.

GDPR basics

  • One aim is to harmonise data protection processing across the EU.
  • It’ll give employees greater rights as data subjects.
  • There will be very significant penalties for breaching the GDPR, which include the fines outlined above.
  • Unlike the rules under the current Data Protection Act (DPA), the burden of proof will be reversed so that from
  • 25th May the responsibility will be on you as the employer to provide good reasons for the retention of personal data.
  • ‘Pseudonymization’ i.e. how to anonymise personal data.
  • You need to be issuing privacy notices to job applicants.

What is Personal Data

  • Identification of an individual will not only be by name, but “an identification number or to one or more factors specific to their physical, physiological, mental, economic, cultural or social identity”. This is intended to be a very broad definition and will include IP addresses and cookie strings.
  • Sensitive personal data is broader and includes racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic and biometric data, data concerning health or concerning a person’s sex life, sexual orientation or criminal offences.

Rights to Obtain and hold Personal Data on New Applicants

The six data protection principles in the DPA remain. However, when processing personal data for HR and the GDPR, you must also satisfy one processing condition, and for sensitive personal data at least one sensitive data processing condition.

The processing conditions are:

  • consent of the data subject
  • necessity for the performance of a contract/to take steps in preparation for the contract
  • necessary to comply with a legal obligation
  • necessary for the performance of a task carried out in the public interest or in the exercise of an official authority
  • necessary for the purposes of legitimate interests – e.g. would be you need the data subject’s bank details to process their salary.

However, you must obtain their explicit permission to hold this data and make them aware how it is stored how long you need to hold it for and they can always ask for it to be deleted

Right of Employees under GDPR

  • The right to be informed, including the need for employers to explain how they would use the data.
  • The right of access, similar to those rights under the DPA and including revisions to the Subject Access Request (SAR).
  • The right to rectification of data that is inaccurate or incomplete (again like the DPA).
  • The right to ‘be forgotten’ (data deleted) under certain circumstances.
  • The right to block or suppress processing of personal data (like the DPA).
  • The new right to data portability – allows employees to obtain and reuse their personal data for their own purposes across different services, under certain circumstances.
  • The stricter requirements for obtaining consent to process data and employees must be able to withdraw their consent at any time, as easily as they have given it.
  • Unlikely to be able to rely on ‘consent’ as an overall blanket clause in employee contracts after GDPR (on the basis that the power relationship means that consent will never be given in a true way), or even if consent is given it’s unlikely to be deemed as valid. Therefore, you will need a sperate document to accompany an employee contract that states your legitimate business interests to allow you to process the data that you include.
  • Rights will extend to job applicants and the retention and processing of their CVs.

Personal Data you can’t ask for

  • As now, you’ll can only ask for, and hold, data that’s ‘adequate, relevant and limited to what is necessary’. The data must be for specific, explicit and legitimate purposes. (Be careful of holding any data that could be deemed discriminatory.)
  • “Pseudonymization” – for a process rendering data neither anonymous nor directly identifying. It’s the separation of data from direct identifiers (workers, employees, consultants or unsuccessful job applicants), so that linkage to an identity is not possible without additional information that’s held separately.

Storage and Security Obligations of Employee Personal Data

You still have an obligation to ensure that appropriate technical and organisational measures are taken to prevent unauthorised or unlawful processing, loss, damage or destruction of data. You must get confirmation that all your contractors who use this data e.g. payroll providers have in place their own procedures and policies to comply with GDPR.

The current DPA suggests employers should provide employees and applicants with a privacy notice. But under the GDPR you should provide more detailed information, including:

  • How long their data will be stored
  • If the data will be transferred to other countries
  • Information on the right to make a subject access request Information on the right to have personal data deleted or rectified in some circumstances.

Miscellaneous but Important Issues in HR and the GDPR

  • New mandatory breach reporting requirement – e.g. if there’s an accidental loss or disclosure, the employer will have to report the breach within 72 hours to the ICO. Failure to do so will result in a fine. Where the breach poses a high risk to the individuals, those individuals will also have to be notified.
  • Subject Access Requests – you will no longer be able to make a standard £10 charge for complying with any request. You will have a month to comply rather than the current 40 days. You can refuse or charge for requests that are manifestly unfounded or excessive and if you refuse a request then you must tell the individual within 1 month why and that they can complain to the ICO (Information Commissioner).
  • New accountability principle – requires businesses to demonstrate that they comply with the data protection principles and states explicitly that it is their responsibility to do so.

Data Protection Privacy Impact Assessments

  • Privacy Impact Assessments (PIAs) can help organisations identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy.
  • Employers will be required to carry out PIAs if their proposed activities are likely to result in a high risk to the rights and freedoms of individuals.

NewmanHR can help you by providing policies, procedures and data protection privacy impact assessments and provide guidance on record retention policies and how to handle subject access requests. We will generally put you on the road to becoming GDPR compliant for more information contact us on 0203 640 7748 or via this link>>>