- 10 minute read
- Last updated: 12th November 2019
Any organisation which fails to comply with General Data Protection Regulation (GDPR) rules risks substantial fines and reputational harm. HR departments, in particular, operate under substantial responsibilities to ensure organisational data protection obligations are met.
In this guide, we discuss seven key steps for HR functions to ensure GDPR compliance through effective and robust data protection systems, practices and processes.
This article covers:
- GDPR personal data rights
- Step 1: Assign data governance duties
- Step 2: GDPR for HR step 2: Lawful processing and data minimisation
- Step 3: Privacy information
- Step 4: Review policies and employment contracts
- Step 5: Accommodation of data subject rights
- Step 6: Develop a personal data security breach procedure
- Step 7: Implement staff training
GDPR affords all individuals, known as ‘data subjects’, the following rights regarding their personal data:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
Your organisation must actively record and be able to demonstrate its compliance with GDPR rules when processing personal data. ‘Processing’ personal data means collecting, holding, referring to, or distributing personal information.
HR professionals typically handle a vast amount of personal data across the employee lifecycle, from job applicants to current employees and former employees. This data can vary significantly and may include attendance details, sickness absence, performance history, notes made upon recruitment and sensitive personal data such as information about race, ethnicity, religion, criminal history, sexual orientation and medical history.
Many organisations are legally required to appoint a data protection officer (DPO) to ensure GDPR compliance. This would apply to your organisation if you are:
- A public authority
- An organisation which engages in large-scale processing of sensitive personal data
- An organisation whose main operating purpose involves processing data on a large scale
Depending on the size of your organisation’s HR department, this may involve delegating data privacy compliance tasks to one or two staff members, or an entire team of employees. Either way, you should establish a leadership structure within your data management team to ensure all duties are fulfilled and accountability is possible.
Compliance with GDPR for HR depends on ensuring all individual data-processing activities are ‘lawful’, based on one or more of the following recognised justifications. Remember that simply holding data qualifies as a processing activity.
Consent can be used as a lawful reason for processing data, providing the data subject knows precisely what they are consenting to, and the consent is given for a specific processing activity. They must be fully informed in a clear and unambiguous manner which data you are using and what you intend to do with it. Keep in mind that ‘general’ consent is not lawful; it is not enough for the data subject to consent to any and all data processing activities undertaken by an organisation. Processing data on the grounds of consent alone is risky, as the subject must actively consent to each individual activity.
Data can be lawfully processed when it is a necessary step to enter the data subject into a contractual agreement (e.g. when entering into an employment contract). GDPR rules recognise that it is impossible to enter a contractual relationship without exchanging personal data.
Data may be processed lawfully if the person or organisation handling the data has a legal obligation to do so (e.g. if personal data were requested as evidence for legal proceedings).
‘Vital interests’ can be a lawful justification for processing data if abstaining from processing that data could result in serious harm or death to any person – not just the data subject (e.g. if a person’s medical history were required to treat them for life-threatening injuries).
Personal data can be lawfully processed if it is necessary to promote public interests (e.g. using medical data or crime data to improve health services and public policies).
An organisation may process personal data if it has ‘legitimate interests’ which do not interfere with the data subject’s fundamental rights. (e.g. to prevent or expose fraudulent activity).
To ensure all existing data you hold and any new data you collect is processed lawfully, consider organising an HR data audit. Create a database including individual categories for the data you hold (for instance, recruitment, current employees etc). Within each category you can list which data you hold, how and where it is stored, who has rightful access to it and what the lawful reason for holding that data is.
At this stage you should seek to engage in ‘data minimisation’ by disposing of any personal data which you no longer have a lawful reason to hold.
Every person has the legal right to know why you are requesting certain information and what you intend to do with it. Individuals from whom you collect personal data must be informed:
- Why you are collecting the information
- What will happen to the information
- Who will have access to the information
This is known as ‘privacy information’. You have a responsibility to provide data subjects with privacy information whenever you collect personal data. Keep in mind that you are obliged to hand over this information within a ‘reasonable’ time frame and no more than one month after the data has been collected. Ideally, privacy information should be offered at the point of collection. Ensuring your organisation’s privacy information is complete and up to date is a vital step in achieving GDPR compliance.
Privacy information must be detailed yet concise and easy to understand. Include the following when writing up privacy information templates for data subjects:
- The name and contact details of your organisation and if applicable, the name and contact details of your data protection officer.
- The reason for, and lawful justification of, the processing activity.
- The length of time the data will be held.
- The data subject’s rights regarding processing, including their right to withdraw consent or complain to a data authority.
- If applicable, information stating the data subject is legally or contractually obliged to provide personal data.
It can be helpful to draw up a summarised version of this privacy information for use on recruitment forms. This would include pointing data subjects toward full privacy information which is not featured in the summary.
If you have not already done so, draw up a revised data protection policy which includes details of the disciplinary procedure incurred by personal data breaches and data subjects’ rights. Then, update your employment contracts and other data collection documents to include your new privacy information. As part of your organisation-wide update, you may also consider upgrades or alterations to IT security systems and policies and devising or reviewing ‘access request’ documents.
Any person for which you hold personal data has a right to access that information at any time. GDPR rules also state that a data subject may arbitrarily request the alteration or removal of personal data, providing that does not conflict with the data controller’s legal obligations. As you have a responsibility to facilitate these requests in a timely fashion, your HR department should develop systems and procedures to accommodate the process. This will include drawing up access request forms.
GDPR rules demand that all organisations report certain types of personal data breach to the appropriate authority, within 72 hours of the breach being detected. You must also inform any data subjects whose personal information was involved in the breach, if there is a risk that the breach will adversely impact their basic rights and freedoms.
To ensure personal data breaches are detected as early as possible, organisations should develop and implement robust breach-detection systems. You must also have an established internal procedure which allows all employees to report data breaches quickly and effectively, as they occur. Make sure appropriate methods of communication with the data protection authority are set out in the breach reporting procedure. Note that all data breaches must be recorded internally, even if it is not deemed necessary to report them to the authority.
Having developed appropriate systems and procedures to ensure GDPR compliance at all stages of processing, your final provision should be the implementation of a company-wide staff training program. Not all departments and employees will have the same exposure to personal data, therefore different levels of training will likely be appropriate. Basic data protection awareness should also be added to your new employee training program. Design your staff data protection training to ensure all employees understand the organisation’s GDPR obligations, the penalties for non-compliance and the procedure they must follow when reporting possible data breaches.
GDPR presents an area of acute risk for employers who typically handle and store extensive personnel-related data. Ensuring compliance is critical to avoid ICO scrutiny, financial penalties and negative press attention.
DavidsonMorris are experienced human resource professionals, and we understand the challenges of driving forward key HR initiatives against the day to day workforce management demands. We provide HR consultancy services to organisations in support of HR departments, delivering specialist expertise and guidance in areas such as data protection, enabling internal HR function to focus on the organisation’s strategic and transactional people needs.
If you have a question or need advice on any aspect of GDPR compliance for HR, contact us.