Employee data – what’s changing?

As a HR professional, you are constantly balancing the privacy of employees with the information an employer needs to know. The implementation of GDPR is going to make this more difficult, especially since existing processes may not meet the new standard for data protection.

The GDPR will introduce more extensive rights for individuals and more onerous obligations on organisations than the existing data protection regime in EU member states.

Although the GDPR won’t become enforceable until 25th May 2018, it’s advisable that HR departments begin reviewing, without delay, any current data processing activities to ensure compliance with the new obligations under GDPR.

Some important areas of change you should be aware of:

1.It will be more difficult for employers to rely on consent when processing HR data as, where consent is relied upon, the consent provided by employees must be freely given, specific and on an informed basis. Refusal to give consent should not have detrimental consequences for employees. Consent can also be withdrawn.

2.Data breach notification programme: If an organisation suffers a data breach, it must, in most cases, notify the data protection authority within 72 hours. In addition, if the data breach is likely to result in a high risk to the rights and freedoms of individuals, organisations must notify those affected individuals without undue delay.

3.Increased rights of employees: An employee’s data protection rights include:

  • A right to know whether his or her personal information is being processed, why and how and with whom it’s shared
  • A right to access his or her data and to have inaccurate data rectified
  • A right to require an employer to erase personal data about them in certain circumstances

4.To meet their accountability obligations, an organisation needs to:

  • Establish whether they need to appoint a data protection officer
  • Carry out privacy impact assessments
  • Keep records of all processing activities

What about ‘Brexit’ and EU regulations?

Although the UK has voted to leave the EU, this will not affect GDPR becoming law in the UK. With the expanded territorial scope of the GDPR, UK companies offering goods or services (even free of charge) to EU citizens, or monitoring their behaviour, will also continue to be subject to the GDPR, regardless of the UK’s departure from the EU.

Important steps for HR to take:

  • Review your use of HR data – For what purpose do you use the personal data you hold? Are there vulnerabilities in the system? Who has access to the personal data and does this need to be reviewed? With whom do you share the personal data? Do you outsource any HR operations, which involve the processing of personal data? Identify the legal basis on which you will rely when processing employees’ information. Have your employees given consent to use their data? Where you rely on consent, does it meet the enhanced consent requirements? Is the data reviewed frequently for accuracy?
  • Carry out an audit of current privacy notices – many of your documents and processes may need updating with increased information in order for them to comply with GDPR obligations.
  • Review how you handle data subject requests from your employees and former employees. Do any changes need to be made to accommodate the new data subject rights introduced by the GDPR, including the right to data portability and right to erasure?
  • Develop a response programme in the event of a data breach – assign people responsibility for investigating/containing breaches and, where necessary, reporting breaches to the Information Commissioner’s Office and employees. Do you have any insurance which may help you to manage your exposure in the event of a data breach?
  • Do you need a data protection officer? If so, as part of your company’s accountability requirements, if one has not already been appointed then begin recruiting and/or identifying a DPO from existing headcount.   

Addressing the above points, will help your organisation to establish its readiness for GDPR and identify any changes that need to be made to its processes, procedures, IT systems and documents.

The information contained in this article is not intended as legal advice, which we are not authorised to provide.

Source: HR Brief Newsletter 2nd Quarter 2016