The General Data Protection Regulation (GDPR)
What does HR need to do to ensure compliance?
Below is a high level 6 point checklist with some useful pointers.
For more detailed guidance on each point see the ICO guide here.
|1.||Check if the GDPR applies
If the answer is yes to any of the questions below, the GDPR will apply
|1. Are the employer’s activities in the EU, regardless of where they process personal data?
2. If the employer processes personal data in the EU but is not established in the EU, do they offer goods and services to individuals in the EU?
3. If the employer processes personal data in the EU but is not established in the EU, do they monitor the behaviour of individuals in the EU?
|2.||Review what personal data you hold. Why, how and for how long?|
|Formal Data Protection Impact Assessments are not always required but are good practice and a really useful way to make sure you are adopting a consistent approach.
A DPIA should contain:
A DPIA can address more than one project but you may need separate ones where the reason for holding data differs.
|As part of your review, you will need to decide why you hold particular data, and chart what lawful basis there is for holding it. Where the data is special data, currently known as sensitive data, you will need to ensure that a separate condition for processing special category data also applies.
The available lawful bases for processing non-special data are:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose. In the HR context, the blanket consent for processing personal data often found in contracts will be insufficient. Consent under the GDPR must be ‘freely given, specific, informed and unambiguous’. Consent may be appropriate for one off circumstances e.g. consent to obtain medical records, and is one of the separate conditions which permits processing of special data and in connection with data on criminal convictions.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract. An example would be payment details for an employee.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations). An example would be personal details required to complete the PAYE tax return.
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if it is a public authority processing data to perform official tasks.) This is likely to be the ground most relied upon in the employment context in which case a Legitimate Impact Assessment should be carried out. For a LIA checklist see here.
The additional grounds for lawful processing of ‘special data’ (formally sensitive data) are found here.
Of specific interest in the employment context, Schedule 1 of the UK’s Data Protection Bill allows the processing of special categories of data in in connection with employment, where obligations or rights are imposed or conferred by law on the controller or the data subject but N.B. this condition is only met if the controller has an appropriate policy document in place.
The Supplementary Guidance to the Employment Practices code (p 72) gives examples of where sensitive data under the current regime may be processed in relation to a similar proviso.
|You will need to assess what technical and organisational measures the employer has in place to ensure the security of the personal data it holds.
The GDPR requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. Appropriate technical or organisational measures must be used.
|How Long for?|
|The GDPR requires data, where necessary, to be kept up to date; and every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or corrected without delay i.e. review your retention schedule!|
|3.||Check that a fair processing notice been provided to employees setting out what will happen to their personal data|
|Update your privacy notices and check they are full, accurate and complete.
Article 13 of GDPR sets out what information needs to be provided where personal data is collected from the data subject and notices will need to be updated accordingly.
There are detailed requirements to inform individuals as to when and why their data is collected, processed and transferred. Information will need to be provided covering retention of data, transfers to other countries and an individual’s rights. Privacy notices need to be concise, transparent, intelligible and easy to access.
For more on privacy notices see here.
|4.||Review your process for faster dealing with subject access requests and other rights|
|No fee can generally be required for subject access requests except in exceptional circumstances and there is a shorter timeframe to comply (generally within a month). See more here.
Consider the impact of other individual rights. These are:
For more on these individual rights see here.
|5.||Find out about and support your company’s policy should there be a data protection breach|
|For serious breaches the ICO should be notified without undue delay and, if feasible, within 72 hours.
A clear process for notification needs to be in place, underpinned with a training and awareness campaign.
|6.||Plan for on-going monitoring and maintenance|
|Penalties for non-compliance are substantial and so ongoing compliance is required.
For example, continue to monitor compliance, keep records and review data retention. Embed on-going training programmes. Provide regular updates to key stakeholders.
Throughout all these six steps, bear in mind the new data protection principle of accountability
This requires data holders to demonstrate that they comply with the principles. The accountability principle requires organisations to implement appropriate technical and organisational measures that ensure and demonstrate that they comply. This may include internal data protection policies such as internal audits of processing activities, staff training, and reviews of internal HR policies.
Do you need additional HR support while you are putting your GDPR guidelines in place? The team at ELiAction can provide the HR support you need, Call 01494 817193 or visit: HR Support