What is GDPR?
The General Data Protection Regulation (GDPR) takes effect from 25th May 2018. It is the biggest change in data protection laws for 20 years, replacing the current Data Protection Act and is a new set of rules governing the privacy and security of personal data laid down by the European Commission.
What is the aim of GDPR?
The new regulations have been designed to give power back to individuals over how their data is processed and used, and protect their privacy. Individuals will be able to request that businesses delete personal data that is not necessary or accurate. Additionally, individuals gain the right to access a readable copy of any data a company has collected about them and can object to their data being processed.
Who will be affected?
Any group that processes the personal data of European residents must comply with the new law. Businesses and organisations not complying with the new laws could receive huge fines of up to 4 per cent of their annual global turnover.
What do HR need to consider?
GDPR will tighten the rules for gaining consent from employees to process their personal data. Consent now needs to be explicit, informed and given. HR departments should think about what reasons they could use to justify processing employee data, such as needing to do so to perform a contract or to comply with a legal obligation.
What counts as personal data?
Information related to an employee such as names, photos, bank details, email addresses, personal information or medical records qualifies as personal data.
Do I have to get an employee’s consent to retain personal data?
Companies may process employee data on the basis that it is necessary under their employee contract or to fulfil an employer’s legitimate interests. However, the conditions for consent have been strengthened so consent that was obtained as part of the terms and conditions of employment contracts may no longer suffice.
Explicit consent may need to be given by employees for the retention and processing of sensitive personal data so it’s important to assess this between now and May 2018. The GDPR also means that ‘data subjects’ have the right to withdraw consent at any time.
What will HR do if there’s a data breach once the GDPR is in force?
Under the GDPR, organisations will need to disclose a data breach to the appropriate authorities within 72 hours, unless the data is encrypted or doesn’t identify individuals. If the breach poses a high degree of risk to the rights of the individuals concerned, the business will need to inform the people affected as well.
What about data security?
It is important to review security provisions and to consider any potential issues that could arise because of the way that data is stored. Depending on the extent of the sensitive data processed, it may be necessary for companies to appoint a Data Protection Officer to oversee data processing activities within their organisation.
What steps should we take in HR now?
Review your data protections processes and procedures and identify any areas of concern. (Part of this process is to create an inventory of all the personal data that you hold and assess the reasons for its retention.)
Engage with your workforce and make them aware of the new rules and their rights. This will make it easier to obtain any consent you require to hold their sensitive data. You’ll need to look at how you acquire, obtain and record declarations of consent from your workforce.
Review employment contracts and documents to look at whether this meets the requirements for consent going forward.
Where can businesses get help and advice?
The Information Commissioner’s Office in the UK released a set of guidelines to help businesses prepare for GDPR.
It also recommends that companies review privacy notices and ensure there is a plan in place that allows them to make any necessary changes to be in compliance with GDPR.