With the official adoption of the EU’s General Data Protection Regulation (GDPR) just 8 months away, on May 25th 2018, businesses throughout Europe are anxious to get ready. But while data storage policies and operations come under scrutiny, HR departments are also set to be impacted on. So what can they do to prepare for it?
Amongst the new developments to come through the GDPR is a greatly increased range of responsibilities that employers will have to their employees and an obligation to fully inform employees of these specific rights.
The most significant is their right to data access requests, and their right to have that data erased or rectified (should information be proved inaccurate). Employees must also be informed about the length of time their data will be stored and how that data was used if supplied to a third party.
When it comes to HR departments, the GDPR also demands significant changes, but not only from in-house personnel departments. Now, even contracted HR service providers will have to adhere to the new regulations.
With so much going on, what exactly should HR departments be looking at to ensure readiness for the General Data Protection Regulation launch.
Challenges HR Departments Face
There is a lengthy list of aspects HR needs to adopt if they are to be ready for the launch date. For a start, they will have to make sure management and employees are fully aware of dates relating to GDPR commencement, as well as confirming the appointment of Data Controllers and Data Protection Officers.
These officers must also be made fully aware of the non-compliance penalties, not least potential fines of up €20 million or 4% of the total global annual turnover, the risk of data transfer suspensions and the possibility of criminal sanctions. But there are others.
5 Key Aspects To Handle
- Securing Consent
Currently, employees must provide consent when employers want to gather their personal data. This seems perfectly reasonable but critics say current legislation does not adequately protect employees when they wish to deny consent. HR departments will have to ensure there is no ‘imbalance of power’ between employers and their staff, meaning that staff members feel free to make a decision without fear for their jobs.
There are also other legal grounds for gathering employee data, making consent only necessary if the other avenues are unavailable. Examples include where employers require personal data:
- for contractual reasons, such as information necessary to make salary payments
- in order to meet legal obligations, such as providing data for social security reasons
- for legitimate reasons, such as monitoring for security reasons
HR Departments must make sure employee consent has been clearly expressed in writing. So, perhaps add a clause to the employment contract or create a dedicated consent form.
Traditionally, the conversation between HR and employees flowed mainly in one direction: outward, providing details of entitlements and rights. While this may remain largely the case, the increase in employee rights will result in a more significant inward flow. Basically, since personnel will be entitled to access their data and have their data corrected, HR can expect a greater number of requests from, and even instruction from, employees.
There are 3 such requests in particular that HR should be prepared to handle:
- Right to be Forgotten – employees will be able to tell employers to erase personal data relating to them when the data no longer has purpose.
- Consent Withdrawn – employees can withdraw consent, meaning the employer must immediately stop gathering and storing their personal data.
- Compliance Time Limit – where an employee has requested access to their personal data, employers have 40 days to comply. That time limit will shorten to 1 month.
HR Departments must make sure their systems are able to delete data completely whenever requested to do so.
Until now, interaction with the Data Protection Authorities (DPAs) has been carried out largely via forms and documentation. But the paper process is set to be replaced by direct interaction, a compliance system based on actions that can be demonstrated – not just reported.
As a result, a company’s HR department will have to make sure a number of obligations are met by the employer, including:
- Appointing a Data Protection Officer (DPO)
- Carrying out privacy impact assessments
- Consulting with DPAs before new data processing begins
- Keeping detailed records of all data processing activities
Companies will also be given an obligation to fully disclose any breaches they have detected. Currently, information tends to be given within surveys and reports, but the GDPR will make it compulsory to tell Data Protection Authorities whenever a breach has occurred.
In most cases, a time limit of 72 hours will apply, with any time over that period requiring a justifiable reason. What is more, if the breach relates to employee data, any employees affected must be notified ‘without undue delay’. This obligation may be avoided if the data is encrypted.
HR must make sure a system through which to make these notifications (and confirm they have been made) exists. This will certainly involve establishing a clear communication channel between the department and the DPO.
Every recruitment drive involves gathering information on candidates and checking they are fully suitable for the job in question. But once the recruitment procedure is ended, the data of unsuccessful candidates will no longer be relevant. HR will have to ensure that this information is not retained for longer than is absolutely necessary, and should design policies that make certain this pre-employment data are disposed of safely.