It has been well publicised, that Brexit will not negate the UK from the General Data Protection Regulation (GDPR) - the Government will be introducing a new Data Protection bill this year to incorporate the European Directive as well as national derogations specific to the UK.
The official introduction of GDPR is now iminent. As such, employers, who are yet to embark on the challenge or are at the early stages of the compliance journey, should be taking action in relation to HR related data. Although there are some finer details yet to be confirmed about the application of GDPR in the wider context, from a HR perspective, there are a clear set of obligations to fulfil now.
It’s all about the data
The data covered by GDPR is personal data and this means any information relating to an individual, who can be identified, directly or indirectly by reference to the information held.
The most crucial part to manage and likely to be the most time consuming, is reviewing all the data held and processed for HR purposes. In practical terms, this will mean undertaking an audit of all the data sources currently in place; no stone should be left unturned! This includes data transferred outside the EU boundary that will be subject to the same regulations. Lastly, but not least, the HR data audit should consider third party organisations used to process data – some common relationships are with HR software providers and recruitment agencies.
Many organisations will have migrated to digital and cloud based platforms to hold data, but there will likely be traditional paper based systems for some or all of the data, such as ex-employees. This will be unique to the organisation depending on financial resources and other factors such as: industry specific practices, internal processes and technological resources. Whatever the composition of data is, the same prescribed GDPR principles will apply:
- Fair, lawful and transparent processing of personal data;
- Collected for specified, explicit and legitimate purposes;
- Adequate, relevant and limited to what is necessary in relation to the purposes of
- Accuracy and kept up to date;
- Kept for no longer than is necessary for the purposes for which the personal data is processed;
- Security and confidentiality.
These principles are fairly self-explanatory and are fundamental to data management.
Other data considerations
Special categories data
Earlier in this article we discussed the context of personal data. There is also a sub-category of personal data referred to as special categories of data. Information that falls under this group includes: race/ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic and biometric data, health/medical records and sexual orientation. These sub-categories of personal data require greater scrutiny during the audit process and as such must satisfy additional legal grounds in order to justify the relevance and purpose of the processing activity.
Encryption techniques – implications for personal data
There are exciting times ahead for organisations that can tap into technological expertise.
Anonymisation of data is a useful tool to mitigate the loss and breach of personal data. Anonymised data in this context means that an individual cannot be identified from the data available and processed. Where data is anonymised in this way, GDPR makes it explicit that it will not be covered by data protection legislation. The Information Commissioner’s Office (ICO) advises that organisations using anonymisation techniques need to incorporate assessments of the risk of re-identification. In theory if the personal data can be fully anonymised, it is no longer classified as personal data under GDPR.
The ICO has confirmed that for organisations with 250 employees or more, it is a mandatory requirement to document all processing activities. However, SMEs have not been given a free pass here, there is still a requirement to document regular processing activities and most importantly for special categories of data or criminal conviction and offence data. The record should be comprehensive and will include the following components: what HR data they hold, who it is shared with, where it is stored, the reason for holding the data and the retention period. Additionally, it will include the contact details for the Data Security Officer (if applicable) and technical and organisational security measures in place.
There is also the further requirement of the Data Privacy Impact Assessment (DPIA). This process is geared towards risk assessment and must be conducted by organisations using new technologies and where the processing is likely to result in a high risk to the rights and freedoms of individuals.
Privacy notices, policies and procedures
Privacy notices must satisfy the right to be informed under GDPR. In this respect they should be concise, transparent, written in clear and plain English and easily accessible. It should detail a comprehensive record about what information the employer collects, the source of the information, the purpose for processing the data, who has access, how the data is protected, data retention periods, employees’ rights in relation to the personal data processed and information regarding automated decision making. Privacy notices are fundamental to GDPR; one crucial point to highlight is the purpose for processing the data must be precise. If data is subsequently processed for another means not specified in privacy notices, then this will result in a breach of the regulations.
Policy updates and modifications will be required to incorporate GDPR compliance as appropriate. There are many policies where this will impact such as recruitment, social media and information technology. The most pressing areas are a data breach response programme and data subject assess requests. GDPR takes a very dim view of non-reporting of data breaches and therefore a clear communication about the procedural steps to detect, report and investigate personal data breaches, will be necessary for employees to access (to include reporting timeframes and documenting process). GDPR places increased obligations for data subject access requests, as there will be no fee for the request and the response time will reduce to one month. Employees will also have the right to rectification, erasure or objection of the data and ultimately have the right to complain to the ICO. Due to the increased provisions, it is highly beneficial to produce a clearly defined policy to support and maintain satisfactory compliance and to meet the obligations of the data management audit programmes.
Is a Data Protection Officer (DPO) required?
Even where there is no legal obligation to appoint a DPO, the ICO recommends appointing an individual to take responsibility for data protection compliance. The scope and responsibilities will be in the wider context of personal data and not just focusing on HR related information held. Mandatory appointment of a DPO applies for the following: public authorities, organisations that carry out regular and systematic monitoring of data subjects on a large scale and where the core activities involve processing special categories of data. Employers should seek advice if they are unclear.
The stricter regulations and increased rights for data subjects to challenge the validity of processing activities has ramped up the requirement for well designed data management tools in the HR arena.
For further information on any aspect of this article or details of our portfolio of GDPR services, please get in touch with CBW’s HR Consultants.