Published: 29 March 2018
Area of Law: Data Protection, Employment
GDPR for HR professionals
With the GDPR deadline date (25 May 2018) less than two months away, it is still causing a stir with many businesses who are not as prepared as they should be. Martin Noble explores what HR teams should be doing.
Understand what personal data is
The starting point for anyone considering GDPR is to ensure that they understand precisely what constitutes personal data and what does not. The general rule of thumb is that any information that can be used to identify a living individual (on its own or in combination with other readily available information) is personal data.
Some personal data is also classed as sensitive personal data, because it contains particularly private information about an individual, such as their religious beliefs and sexual orientation. This is precisely the kind of information that an HR team may hold about employees – information that goes far beyond an individual’s name and address. Employees need to properly safeguard sensitive personal data and the conditions for using it are more stringent.
Do a data audit
The next step is to carry out an audit, in order to understand how the employer collects information from its employees. In this context, it is important to consider potential employees; so job applicants should also be considered. As an HR team, you will need to identify what personal data is being collected from employees and the purposes for which it is being used. The reason this is important is because employers will then need to tell employees that this is what they are doing. The GDPR is far stricter when it comes to informing individuals about how their data is being used, even if you do not necessarily need to obtain their consent for doing so.
Understand how personal data is stored
GDPR does not change the principle that organisations need to look after personal data. So in addition employers do need to think carefully about how personal data is stored. Typically this means linking up with the IT team, but not forgetting that personal data can also be stored as hard copies as well as electronic copies.
The audit will need to identify where all of the personal data is kept. The likelihood is that it will not all be kept in the same place – particularly where an organisation is in fact a combination of two or more businesses that have merged over time. The business may use several databases for different purposes. There may also be filing cabinets brimming with documents. Consider too, who has access to the personal data and do they need a key and password?
It starts to get a little more complicated when looking at where information is stored, because a particular database might actually be an online piece of software so the data is held in the cloud, perhaps in another jurisdiction. Personal data might also be used by third party providers such as payroll and pension administrators. All of these uses and locations need to be considered as part of the audit process, as well as how secure they are.
Communicate with employees
When the audit has been completed, this will give the HR team a good overview of how personal data is used and where it is stored. Only at that point can you start to identify any gaps in security measures. It will also enable you to properly inform employees how their data is being used Bear in mind too that under the GDPR the rights given to individuals over their personal data have been increased.
Know how to deal with subject access requests
One area where HR teams will probably see more activity is subject access requests. These exist already and do mean there is a lot of work to do in responding within the 40-day time limit to requests for details about what personal information is held about an employee. Under the GDPR, this is reduced to one month, the information should be made available electronically and there is no longer any fee. So being able to readily access information is very important.
Consider appointing a data protection officer
Finally, HR teams will also need to consider whether to appoint a data protection officer, where there is a significant amount of personal data being used. This is a new position under the GDPR and that person will need to have a good working knowledge of the legislation and be able to deal with any breaches as and when they arise.
Many businesses will be well on the way to compliance with the GDPR if they are already well versed in the Data Protection Act. The penalty for non-compliance has significantly changed and so it is very important that care is taken to consider the GDPR in detail. One key feature of this new legislation is being able to demonstrate how an organisation complies and so carrying out a detailed audit is the best way to kickstart this process.
Data protection is the responsibility for the whole organisation and so make sure you link up with other colleagues around the business, such as IT, and marketing to ensure as a business you are fully covered and employees understand processes and procedures will need to be adhered to, to be compliant with the new guidelines.