The General Data Protection Regulation (GDPR) is the most prominent change to EU data privacy laws for 20 years. As data controllers and data processors of sensitive data such as medical and financial, HR teams are under particular scrutiny. They must make sure that their team, as well as departments and groups across the business, are up to speed with their new roles and responsibilities under the new data protection regulation.
Failed GDPR compliance could result in fines of up to four percent of global turnover or £17 million, whichever is greater. The reputational impact could have unwanted consquences on confidence amongst stakeholders including employees, customers, investors and local communities.
The new data protection regulation will impact HR data across many levels relating to documentation, communication, technology and training.
With the 25 May 2018 deadline for compliance now passed, HR teams need to ensure that they continue to be GDPR compliant.
HR teams will need to conduct a gap analysis to identify where HR data is held and where it needs to be under the new data protection regulation. This involves an internal audit and data mapping exercise of all personal data held on employees, candidates and third parties such as insurance companies. It will then need to be identified and classified according to the GDPR guidelines.
This includes the lawful processing of data under the new data protection regulation, which requires HR teams to provide a lawful purpose for each time they process employee or candidate data. The new regulations for lawful processing are much stricter than under the current Data Protection Act.
For example, HR teams must work out if the personal data they process requires consent – as will be the case with candidate data – or it it’s covered by a legal obligation, such as bank details required for salary payments. For GDPR compliance, any HR data that doesn’t adhere to the new requirements must be deleted.
HR teams will also need to create an organisational chart outlining roles and responsibilities addressing GDPR requirements across the business. If they work in a public authority, carry out large-scale, systematic monitoring of individuals, process special data categories or use data relating to criminal convictions and offences, for GDPR compliance they must appoint a Data Protection Officer (DPO). The DPO is responsible for managing their organisation’s data strategy and implementation in accordance with the data protection regulation.
A review of current controls, policies, processes, HR systems and technologies is also required to make sure HR teams can demonstrate GDPR compliance. A centralised HR system will keep HR data secure, increase data accuracy, facilitate an audit trail and help a fast response to Subject Access Requests (SARs).
The GDPR brings three significant changes to SARs, all of which involve further responsibility and workload for HR teams. First, companies can no longer charge a fee for SARs. This is likely to see an increase in requests. Second, companies must respond to SARs within 30, rather than 40, days. So the pressure on HR teams’ response rates will increase. Third, the data can be requested electronically, so HR systems must be up-to-date and automated.
There are also updated rules under the GDPR for data breaches. In the event of an HR data breach where personal data is likely to be compromised, HR teams now have an obligation to report it within 72 hours to the UK regulatory body, the Information Commissioner’s Office. Where personal data is stolen, for example, the data breach must also be reported to the individuals or employees concerned.
Another painstaking process for HR teams, is to review all third-party contracts to make sure they’re GDPR compliant. For example, with pension firms, health insurance companies and payroll providers. Basically, this relates to any supplier or third-party that can access HR data.
Outsourced payroll management has its own headaches for HR teams seeking GDPR compliance. Payroll providers have a lot more responsibility under the new data protection regulations. For example, they must acknowledge a duty of confidence, act only on the written instruction of clients and delete or return all personal data at the end of the contract. That said, as the data controller, HR teams are still responsible for ensuring this in addressed in their new terms and conditions.
HR teams are responsible for communicating the new regulations to employees. For example, they’ll need to know what to if a customer makes a Subject Access Request or if they identify a potential data breach. They may want to update their website and intranet and consider holding interactive workshops. Employees will also need to be made aware of their own rights regarding their personal data.
Training is essential, so employees are clear about their new roles and responsibilities. This involves training staff right across the business from top down including, for example, the Board, Finance, IT, Customer Support and Sales and Marketing. They’ll all need to understand the new data protection regulation, what personal data is, what procedures to follow and how to use new or updated systems.
HR professionals are in a strong position to use their existing skills and experience of current data protection regulations to help their organisation achieve GDPR compliance. They already handle sensitive data every day and have experience of Subject Access Requests and responsibility for company policies and contracts.
Me Learning offers online GDPR courses for HR teams, written by data protection specialists Clayden Law in conjunction with hr inspire. We also provide flexible and role-specific e-learning courses for your people right across the business and top down, from Board level to receptionist. For more information click here.
Do you have a question?
Whether it’s a technical question or a sales enquiry, our helpdesk and sales teams will be happy to help.