What does GDPR mean for HR Professionals?
The General Data Protection Regulation (GDPR) came into force on 25 May 2018 along with the Data Protection Act 2018, which supplements the GDPR with an extra layer of UK specific rules.
The GDPR regime imposes much more stringent requirements on employers than the previous law and, as such, this poses a real challenge for HR professionals to ensure that they are processing personal data in a ‘fair, lawful and transparent’ way and that they are complying with all applicable documentation and accountability requirements.
Consent is not a ‘fall back’ solution
One key element of GDPR compliance is the requirement to have a ‘legal basis’ for processing personal data. Unlike in other areas, in the employment context it is not normally possible to rely on an individual’s consent as your legal basis for processing. You will need to identify another legal basis, e.g. that processing is necessary to comply with a legal obligation, or in your legitimate interests (which are not outweighed by the rights and freedoms of the individual).
Extensive policy and procedural requirements
The GDPR requires employers to put in place certain documents. There are also those which are not strictly obligatory, but which we would strongly recommend putting in place. The following are examples of key documents:
- Privacy notices informing individuals how the company uses their personal data (it would be appropriate to have separate privacy notices for different types of data subject, e.g. employee, job applicant, etc. as the uses of their data will differ)
- Retention policies explaining how long and how the company might keep individuals’ personal data
- A data protection policy explaining how the company complies with its GDPR obligations and how it expects employees who handle personal data in their jobs to comply
- A record of processing detailing how the company uses personal data (this is an internal document, but it must be shown to the ICO on request)
- A personal data breach register recording details of all personal data breaches, i.e. breaches of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. (As well as being recorded internally, breaches must be notified to the ICO unless they are unlikely to result in a risk to individuals’ rights and freedoms.)
All documentation should be regularly and demonstrably reviewed and revised to ensure it remains accurate, relevant and up to date.
Subject Access Requests: a particular challenge for HR
One of the most significant challenges for HR under GDPR is the right of an individual to request access to all the personal data you hold on them (subject to certain exemptions). This is known as a subject access request, or SAR.
The GDPR has shortened the deadline for responding to such requests to just one month and ICO guidance indicates that you will not be permitted to apply a time extension unless this is necessary, taking into account the complexity or number of requests received. Complying with the deadline can be tricky given the volume of data that may be involved and the need to analyse it to see whether any exemptions apply, but you should not seek to extend the one month deadline on a routine basis.
The cost of getting it wrong could be significant. Failure to comply with the GDPR can result in potential fines of up to €20 million or 4% of an organisation’s global annual turnover. Criminal prosecutions are also a possibility in some cases.