Are you asking yourself ‘What is GDPR?’ and ‘Should my organisation be doing something about it?’
If you are not already asking yourself these questions, you should be, because the new legislation is set to take effect on 25 May 2018. If you are found not to be compliant, your organisation could face new hefty fines (up to €20m or 4% of the organisation’s annual turnover, whichever is greater) and cause damage to your reputation.
What is GDPR?
The General Data Protection Regulation (GDPR) is replacing the Data Protection Act 1998 and will take effect on 25 May 2018.
The new regulation will directly impact all organisations that process data within the European Union (EU). It has been confirmed that the new regulation will apply to the UK as it will still be an EU member state when the regulation comes into effect next year. However, it is important to note that even if your organisation is based in a non-EU country but operates in an EU member state, your organisation will be required to adhere to the new regulation.
GDPR is set to enhance to data privacy rights of EU citizens, streamline data protection laws across the EU and strengthen data security.
What are the key changes that will impact HR?
The changes that we will see introduced as part of GDPR are largely based on how personal data is managed, and as HR is the key data processors in an organisation, there will be the need to adapt to a new way of working to ensure compliance. Below are some of the key changes your HR teams will need to be aware of:
Employers will need to obtain informed consent from employees to process their data. This means that employers will need to ensure that employees understand the changes and their rights to enable an employee to make an informed decision. Employees also have the right to withdraw consent at any time. Therefore, it is essential that a process is put in place to manage employees opting in and out.
Enhanced Access Rights
Employees have enhanced rights to access their data, have it corrected or deleted. Unless self-service is available in your organisation, this task will sit with HR. In the current Data Protection Act, employees and ex-employees can request to see what information is held about them. This remains similar under GDPR however the period in which the data processor (HR) must respond has been reduced to 40 days. HR teams must have a way to easily extract personal data to meet the timeframe. Sure, this might sound achievable if all your personal data is held in one centralised system, but if your organisation is using multiple systems or perhaps you are still relying on excel spreadsheets or paper based documents, then this task will be tricky and time-consuming.
When personal data has been lost or compromised, the breach must be reported to the Information Commissioner within 72 hours and all employees impacted must be notified. As the personal data sits within HR, it is likely that the process of reporting the breach and notifying employees will sit with HR.
It is essential that your organisation takes the time to review your current processes, identify any gaps and make sure any necessary changes are implemented before May 2018.
Below are some points you need to start thinking about:
- Is a project team required to oversee GDPR initiatives? Does your organisation require a designated Data Protection Officer?
- Create an inventory to identify what personal data is required and why, how it is obtained and where it is stored? Also think about what data you would need to retain for ex-employees, why this is required and the timescales for the retention of this type of data. You want to ensure you are not deleting data that may be required in the future.
- You will also need to plan for how you will manage requests for data from employees and ex-employees, how easy is it to report on personal data? Understand what should be included and estimate how long it might take to process a request to ensure you will meet the time-frames. If you cannot extract data in an efficient way, it might be worth reviewing how you record and store data.
- Do your employees have access to their own personal data, can they edit their personal data? If the answer is NO, you will need to ensure that HR can action these requests on behalf of an employee. However, you may also want to consider introducing self-service functionality to your organisation to enable transparency of personal data to employees.
- Find out what your vendors are doing with personal information and what they are doing to ensure they comply with GDPR? If you are using an HRIS vendor, you might want to find out how data can be deleted from the system as this is a requirement under the ‘Right to be Forgotten’ rule.
- If you are not currently using an HRIS system to store your employee data, it might be worth considering. HRIS software can offer a centralised system for all employee data, meaning that you can easily extract and report out personal data, you can enable self-service functionality, giving transparency of data to employees and provide audit control of perhaps when and by whom data has been edited/removed. All of which will help ensure you are compliant with GDPR.
- Review all current contracts and documentation regarding data protection and ensure they are updated as per the new regulation and start to think about how and when you will communicate to employees to ensure they understand the changes and their rights.
- Ensure you have the right procedures in place to identify, report and investigate a personal data breach. Remember that all data breaches must be recorded and maintained but data breaches where an employee’s data has been lost or compromised must be reported to the Information Officer within 72 hours.