Is your workplace ready for GDPR?

We’ve all heard of GDPR. You're probably being bombarded with posts on the topic, but they aren’t many ‘easy to read’ guides on how it will impact the Workplace, HR, Managers and Employers.

The short version (TL;DR)

As an Employer, here’s your to-do list:

1.  Understand what employee personal data, that you may hold, is in scope (it’s any information relating to an identified or identifiable person).

2.  Do an audit of employee personal data flows, including 3rd parties.

3.  Update your internal privacy notices to be compliant (no more small print or implied consent).

4.  Review consent. Where consent is currently relied on, check whether or not it meets GDPR requirements (often it won't!) - you'll probably want to move to a legal basis for holding employee data.

5.  Write a policy for dealing with a data breach & allocate responsibility.

6.  Create a process for data access requests & train a team to respond.

7.  Update contracts with 3rd Parties (Payroll providers, Benefits providers etc.) to include GDPR clauses/compliance.

8.  Determine whether or not a Data Protection Officer must be appointed and, if so, think about how best to recruit, train and resource one.

9.  Last, but not least, communicate with your employees (or ‘Data Subjects’ in GDPR speak) on an ongoing basis and crucially, how will they be informed & manage the data you hold on them?

Quite how this last point will be achieved and what a best practice implementation will look like, still seems to be largely unanswered and applies to both current and past employees.

The (slightly) longer version

Does GDPR cover employee data? Yep! 

From when? May 2018.

Can I ignore this? No - fines of up to €20m or 4% of organisations' global annual turnover; whichever figure is larger.

What’s first? Do some training/reading.

Ok, what’s next? An audit mapping HR data and processes. Should cover;

• Where is your data stored, and by who?
• Identify 3rd parties or Non-EU entities that hold personal data.

Next, review & update your Privacy notices

Under the current law, employers are required to provide employees and job applicants with a privacy notice setting out certain information. Under the GDPR, employers will need to provide more detailed information, such as:

• How long data will be stored for.
• Who has access to it and why?
• If data will be transferred to any other countries.
• Information on the right to make a subject access request.
• Information on the right to have personal data deleted.

Consent from employees

Many employers are currently relying on implied consent. Under GDPR valid consent will be extremely difficult to achieve in an employment context. For more sensitive activities like monitoring, this is especially true.

Even with consent, this approach has been increasingly criticised because there is doubt as to whether or not consent is given freely in the subordinate employer-employee relationship.

Also, under GDPR, employees must be able to withdraw their consent at any time.

Together this means using consent, as a way to justify processing, could be tricky.

In most cases, companies will need to move to one of the other legal grounds to (continue to) process HR-related personal data. This could be the contractual necessity (e.g. for the processing of employee payment data), a legal obligation (e.g. for the processing of employee data in relation to social security) or the legitimate interest of the employer (e.g. in the context of employee monitoring).

Employees Rights

Within the framework of GDPR, employees as Data Subjects will have new rights;

• right to access their data
• right to request corrections
• right to have their data deleted/right to be forgotten
• right to restrict processing
• right to data portability

Let's quickly understand when an employee might be able to exercise their right to be forgotten. If;

• the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed.
• the individual withdraws his or her consent and there is no other legal ground for the processing.
• the individual objects to the processing of data where the processing is on the basis of the employer's legitimate interests and there are no overriding legitimate grounds for it to continue.
• their personal data has been unlawfully processed.
• deletion is required for compliance with a law to which the employer is subject.

In summary, one of the key actions on an employer is to clarify the legal reason they are holding any employee data, and update processes around this legal need for current and past employees.

Write a new process in the event of a breach

GDPR imposes a new mandatory ‘breach reporting’ requirement. When there has been a data breach, you will have to notify and provide certain information to the data protection authority within 72 hours. Where the breach poses a high risk to the rights and freedoms of the individuals they will also have to be notified.

Get ready for data subject access requests

Data subject access request (“DSAR’s”) will need to be responded to within one month. This can be extended by two additional months, depending on the complexity of the request and the number of requests from the same source.

If you don’t have one already, you’ll need a process which logs and tracks DSAR’s. Responding to a DSAR is often complex and you should ensure people are trained to handle them with consistent principles where objections are made (such that the request is “complex” or “excessive”) and to ensure that third party data is handled appropriately.

Are your third-party processors compliant?

You should start by identifying your processors, such as Payroll providers, and review the contractual terms. GDPR imposes obligations to ensure that the right contractual guarantees are in place where you appoint processors and so these agreements should be overhauled.

Anything else?

We've just scratched the surface, but the above will give you a good start. You'll also need to ensure ongoing compliance, clarify which group and person owns GDPR (should be senior, independent, and avoid conflicts of interest) and how governance is tracked at Exec/Board level to ensure ongoing compliance.

As a parting thought, the 'why' is probably best coming from the EU’s executive body, the Commission, summing up the goal of GDPR:

The objective of this new set of rules is to give citizens back control over of their personal data, and to simplify the regulatory environment for business. The data protection reform is a key enabler of the Digital Single Market which the Commission has prioritised. The reform will allow European citizens and businesses to fully benefit from the digital economy.