With only a few weeks to go until the General Data Protection Regulation ("GDPR") becomes directly applicable on 25 May 2018, many organisations are entering a crucial period as they seek to 'upgrade' their privacy & data protection standards to meet new and enhanced legal requirements.
At its core, the GDPR dramatically heightens expectations on businesses in the way that they manage, use, store, secure and otherwise process personal data. Clearly, HR and Talent functions act as the custodians of significant volumes of often sensitive or confidential personal data within any organisation, and must therefore take centre stage as this new and demanding law bites.
It may be easy or tempting to think of the processing of employee, applicant and contractor information as having less priority than other areas of the business. However, the GDPR – and its significantly enhanced penalties (including administrative fines of up to 4% of an undertaking's worldwide turnover or EUR 20 million (whichever is higher)) for non-compliant organisations – does not hold these categories out as deserving of more lenient rules. Works councils and members of staff are often the source of issues raised directly with companies and also with regulators. The risk of penalties will also be enhanced by the prospect of vicarious liability for employers and this could stem from a seemingly minor data breach by an employee in the 'course of employment'. HR functions that remain unsure how the new rules will affect their activities and obligations should act now.
To assist businesses with their HR-specific GDPR compliance programmes, we have identified – at a high level – a number of key action points in the checklist below, as split between eight prominent GDPR themes. We have experience in each of these areas and would be happy to help guide your business through these challenging new requirements.
Individuals engaged by any organisation (whether employees, contractors, applicants, interns or volunteers, for example) need to be provided with more detailed, granular and accessible information setting out how their personal data is used. This is commonly set out in a 'privacy notice' and must be provided to individuals at the outset of any relationship and updated regularly. Key compliance steps will include:
Organisations will need to be aware of enhanced individual rights of access (under a refined data subject access regime), objection and rectification, as well as new rights to data portability, restriction and erasure. HR teams must be able to recognise and deal with individual requests within strict deadlines. The following will assist with this:
The processing of personal data for each identified HR purpose must be justified on at least one of a number of strictly prescribed legal grounds. The days of relying on employee consent, which will be harder to justify and is unattractive given rights to withdraw consent must be honoured, in the context of an employment relationship, are over. Alternative legal grounds, such as reliance on an organisation's 'legitimate interests' or contractual necessity, will be required instead. Businesses should, at minimum:
Businesses must be able to demonstrate 'data protection by design and default' within internal systems, so that the concept of data minimisation (whereby the minimum amount of data is retained for the shortest possible period) is central within HR functions. This can be achieved through a combination of technical, organisational and practical measures, such as the following:
Where HR data is shared within a corporate group (such as on a HR IT platform or in the course of carrying out specific investigations or redundancy exercises), or with external service providers (such as those offering hosting platforms, employee database management products or facilitating benefits / payroll administration) organisations will need to implement new practical and contractual arrangements with each recipient to ensure they will handle the data properly. The following steps would be sensible, at a minimum:
Whilst the GDPR does not fundamentally change requirements relating to the transfer of personal data across borders, organisations reassessing their data sharing arrangements (as above) would be sensible to use this opportunity to consider the continued adequacy of their current international transfer mechanisms, including Standard Contractual Clauses ("SCCs"), Binding Corporate Rules and the EU-US Privacy Shield. HR functions should focus on:
The GDPR raises the stakes in respect of personal data security, not least because of its significantly increased potential fines and sanctions should data breaches occur. Organisations will need to be able to quickly recognise, isolate, mitigate and respond to security incidents in line with a formal procedure, and report certain breaches to their regulator (within 72 hours) and / or individuals. HR functions and individual business units must be aware that the term 'data breach' is not limited to malicious hacking; misplaced hard-copy personnel files and erroneous email recipients can be covered too. Breaches could stem from employee actions which, on the face of it, seem innocuous, for example forwarding an email chain which contains personal data / sensitive data (e.g. ‘she is not coming to work today because her daughter has chicken pox’). In the UK, it also now appears that organisations can be vicariously liable for data breaches caused by rogue employees. Risks can be reduced by taking the following minimum steps:
Passive compliance with the GDPR is not possible. Instead, all business functions – including HR – will now need to 'demonstrate compliance' with their data protection obligations. Organisations should work towards this requirement by: (i) introducing detailed data protection policies and training; (ii) subjecting internal controls to regular audit and review; and (iii) maintaining a comprehensive, up-to-date 'record' of all processing activities. With this in mind, businesses should:
NB: This document is intended as an illustrative overview only, will not be appropriate for all organisations and is not intended to be a substitute for specific legal advice.
Please also note that under the GDPR, individual EU member states are entitled to introduce more detailed and restrictive local laws in respect of the processing of personal data within the employment context. Compliance programmes will need to take any local variations into account, as applicable to their countries of operation.