Why HR needs to know about GDPR - 5 Burning Questions HR needs to answer

What does HR need to know about GDPR?

The answers to five burning questions on the incoming legislation

The General Data Protection Regulation (GDPR) is due to come into force on 25 May 2018, giving HR departments less than a year to get their house in order as the way organisations collect and process data about employees and job candidates will be changing. Says Hayley Kirton. Here’s what HR needs to know now:

1. What happens to the idea of consent in the employment relationship?

At the moment, many employers gain consent to process employee data by including a clause in their employment contracts, but the GDPR will tighten the rules for gaining consent. “Consent now needs to be explicit, informed and given – and that means you can’t just put it at the back of an employment contract,” says Christine Young, employment partner at Herbert Smith Freehills.

HR departments should think about what reasons they could use to justify processing employee data, such as needing to do so to perform a contract or to comply with a legal obligation. Norman Murray says HR should be training employees in consent as a “way of ensuring complaince”, particularly given growing rhetoric that employees are never truly free to give consent to their employer because there might be adverse consequences if they say no, as well as the fact that consent can be withdrawn at any time. This means training employees in their rights under GDPR. For the ultimate consent check-list do email [email protected]

2. What will HR do if there’s a data breach once the GDPR is in force?

Under the GDPR, organisations will need to disclose a data breach to the appropriate authorities within 72 hours. If the breach poses a high degree of risk to the rights of the individuals concerned, the business will need to inform the people affected as well.

“It’s important organisations to have some kind of plan in place if there’s a data breach,” says Young. “Seventy-two hours is not a very long period of time to notify a regulator.”

3. Do HR professionals need to be concerned about the ‘right to be forgotten’ and other employee rights with GDPR?

The ‘right to be forgotten’ currently exists under EU law but the UK government has already said it will entrench the right into national legislation once the GDPR comes in. When most people think of the right, they think of Google removing links from search engine results, but Phil Allen – partner in the employment, pensions and immigration team at Weightmans – notes that the right to be forgotten could also affect information held on file about employees. This raises problems for HR departments trying to balance handling historic staff issues with the new obligations.

“To give you an example, if someone gets a warning for something, the Information Commissioner says that, once the warning’s spent, you shouldn’t retain those records,” says Allen. “Most employers do retain the records because, when the same issue arises years later, they want to know that the issue happened before.”

Barrett adds that this right might become relevant to HR if employees discover they have been holding on to more information than is necessary, or for longer than is necessary, to carry out an originally legitimate purpose. “Where I see the right to be forgotten kicking in more is where individuals say: ‘Why have you still got my data? I want you to effectively stop processing that data,’” she says.

However, Young points out: “It’s only limited to circumstances when a data subject can use that right. It’s not a wholesale ‘they’ve asked, therefore we must delete’.” There are other rights that employees have, says Norman Murray of Learning for Success, including the right to know all the data that an organisation holds about them, what they do with it, as well as the right for it to be amended, or in certain circumstances, to be deleted. It comes as a bit of a shock to several organisations that we are helping with GDPR.

4. What do I need to know about subject access requests (SARs)?

The rules around SARs are changing so, if one lands on the desk of the HR team post-GDPR, they’ll need to respond more quickly. At present, companies have 40 days to respond, but this goes down to a month under the GDPR. 

The fees organisations can charge for SARs, currently a maximum of ￡10, will also disappear under the new regulation. And Allen notes that, as SARs are sometimes used as a prelude to litigation, the abolition of employment tribunal fees could have a further effect on the number of requests HR receive. “The more claims there are in the offing, we’re probably going to see an increase in SARs,” he says. email [email protected] for your Ultimate Documentation needed to be GDPR Compliant

5.We use profiling in our recruitment. What do we need to know about the GDPR?

Using an element of automated profiling to filter through applicants – for example, hunting out CVs that mention certain skills and qualifications – is not uncommon, but organisations that do this will need to rethink their approach once the GDPR comes in.

“You need to notify people that you’re doing this profiling and you may need to give them the opportunity to object to that and somehow have some human intervention,” says Young.

The General Data Protection Regulation (GDPR) comes into force from 25th May 2018, superseding the Data Protection Act 1998. This change introduces a new era of data protection and privacy in the modern world and includes the ability of the Information Commissioner to fine charities and social enterprises up to 4% of total turnover for failing to comply with the legislation. 

Other areas the HR needs to change, include recruitment, induction, employee handbook and policies as a minimum.

If you would like The 12 Steps to GDPR legal compliance, please do contact [email protected]

If you valued this post, please do share it and follow me, thank you