Every organisation that processes personal data must comply with the new GDPR rules that take effect in May 2018. There are no exemptions based on a size or sector, no staggered dates for compliance and, based on the current performance of the body responsible for policing data protection legislation, a rock-solid guarantee that the new regulations will be enforced and, where companies fall short, fines imposed.
Those with HR and people responsibilities are, without a doubt, at the front line of GDPR compliance. They work with personal data all the time: in fact, their jobs could be said to rely on it.
As custodians of employee information, they’ll be the ones who will need to audit existing processes; validate their own security and that of third parties that they share HR information with such as HR software and payroll providers; take on at least some of the responsibility for compliance training and monitoring and equip themselves to report any data breaches involving employee data, as well as respond to ‘subject access requests’ from employees.
Where should you start?
For many HR teams getting to grips with GDPR is understandably daunting. Not least, because so much has been written about the higher standard of consent for processing personal data that the legislation requires – and the cost of getting it wrong.
At first glance, asking employees for consent seems reasonable. You may already let employees know why you ask them for personal information and what you use it for.
However, when it comes to collecting and processing employee data in the context of GDPR, a reading of the regulations indicates that the focus on consent is misleading and could, in fact, be damaging.
Under GDPR, consent is defining as meaning “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
In an employment context, relying on consent is problematic for three main reasons:
- It’s administratively complex. Since consent needs to be ‘specific’ and shown by a ‘clear affirmative action’. A catch all clause in an employment contract, or on the login screen to your HR software won’t cover it.
- It’s unlikely to be un-enforceable in law. In an employment relationship, demonstrating free consent is almost impossible since the relationship is not one between equals. By refusing consent, an employee may feel that they put their relationship with their employer in jeopardy.
- By asking an employee to give their consent to processing information, you may inadvertently give them stronger rights to have their details deleted. What would be the business implications if, for example, an employee demanded that you delete data about their absences (sickness or otherwise), performance, skills, perhaps even their address. It may seem unlikely, but it’s possible.
Legitimate business interest
Instead, HR should rely as far as possible on legitimate business interest. This should cover the data that is required to ensure the employer fulfil their contractual obligations to their employees. For example, to pay them, award paid time off, manage grievance or health and safety issues etc. It will also extend to issues relating to the effective running of the business, such as monitoring absences, performance reviews or skills audits (with a caveat in relation to automated decision making – which is also covered by GDPR).
Legitimate interest cannot be applied in all cases. For example, processing employee information related to wellness initiatives, while laudable, is likely to require consent, as is sharing personal data with third parties so they can market their services to your employees – however attractive the offer.
An essential first step for HR, therefore, is to audit and document employee information: what you gather and why, where you store it, how you ensure it is accurate and up to date and who you share it with. This forms the foundation for the other activities that HR – or someone else in the organisation – will need to address for GDPR compliance.
The ICO (Information Commissioner’s Office) has put together a handy 12-point plan for anyone with day to day responsibility for data protection, much of which is relevant to HR.
Beyond the data audit, top priorities for HR are likely to include: updates to privacy notices, review of current consent approaches, awareness and training activities, internal and partner data security reviews, processes for reporting data breaches and a cost-effective response to subject requests for information.
For HR teams making do with spreadsheets and paper-based files, GDPR may also provide the impetus to modernise personnel record keeping. In a side note to the legislation, the regulator recommends making use of employee self- service HR software, so that employees can both see, and where appropriate correct, the data their employer holds on them.
Consolidating HR information in a single, secure HR software system has other benefits for GDPR compliance. It’s generally easier to demonstrate that you have appropriate security in place if personnel records are held behind a secure login than in spreadsheets or office filing cabinets and approval workflows and audit capabilities make tracing and tracking infinitely easier than trawling through historic emails.
Although GDPR will not be in force until May 2018, the new regulations will have significant implications for the way that companies manage their HR data. HR need to start to prepare now.
Please note: this article is based on our understanding of the requirements of GDPR and should not be relied upon as legal advice or to determine how GDPR might apply to you and your organisation. You should refer to the legislation and, if in doubt, work with a legally qualified professional to discuss GDPR, how it applies specifically to your organisation, and how best to ensure compliance.