What Does GDPR Mean for HR Departments? 5 Actions to Take
9th May 2018 | Ardi Kolah
Ensure your HR department applies the correct changes to align with new data protection rules
According to the UK Information Officer, Elizabeth Denham, the EU General Data Protection Regulation (GDPR) has created more privacy considerations for organisations and has changed the entire ethos on data protection.
Despite Brexit, the UK Government has made a commitment to implement the GDPR that came into full effect on 25 May this year. And one function that has most keenly felt this is the HR Department. GDPR now regulates the way payroll info, employee details, people’s expenditures and medical records and other sensitive details are processed.
It’s the responsibility of every employer – a ‘Data Controller’ under GDPR – to keep all this information secure and ensure that employees’ rights are respected, with the risk of enforcement action and damaging publicity for getting this stuff wrong.
Increased Rights for Employees is Now a Reality
GDPR significantly enhances the rights of every employee in three key ways:
- The employer must now provide more detailed information as to the purposes, and means, behind processing data.
- Employees have a right to access their personal data.
- Under the right to be forgotten (right of erasure) the employee will have a right to have personal data erased in certain cases (e.g. when they leave employment).
It won’t be good enough for the employer to simply say it will abide by GDPR – it will need to demonstrate compliance if required by the Supervisory Authority and verify that it has taken all the necessary technical and organisational measures. Otherwise they can expect to receive a sanction including a financial penalty.
Is There Any Wiggle Room for the Employer?
GDPR has dramatically reduced wriggle room in the aim to bring a more consistent and harmonised approach to the processing of personal data across all 28 EU Member States so that where a group of companies is established in several Member States, the rules applicable to the processing of HR-related personal data will be the same.
GDPR expressly provides a derogation for individual Member States to implement more specific rules in respect of processing HR-related personal data.
This means that specific rules regarding the processing of personal data for recruitment, performance of the employment contract, diversity, health and safety, etc. may still be adopted on a national law basis.
Art.9(2)(b) and Art.88, GDPR provide that Member States may create new laws or conclude collective agreements to ensure the protection of personal data in the context of national employment law. These must include appropriate safeguards and Member States must inform the European Commission of any laws adopted in this area.
But that doesn’t open the door for letting HR Departments carry on regardless of the new data protection rights under the GDPR. In fact, the reverse is true. Organisations will need to exercise additional caution in Member States that apply additional protections to the privacy rights of employees.
5-Step Action Plan for HR Departments to Implement for 2018 and Beyond
- Identify a senior manager within your organisation that can be trained to become the Data Protection Officer (DPO). Part of the job of this individual is to quickly build relationships with the HR department and ensure that adequate awareness and training is commenced within the organisation.
- The DPO needs to carry out a DPIA, which will help to assess the current HR-related personal data and processing activities and identify existing structural and operational risks.
- Review all HR policies, processes and procedures including the data privacy notice given to staff to ensure compliance with GDPR and national Member State laws across the EU. Ensure that all documentation provided to employees is in ordinary, intelligible language. As far as possible, seek to harmonise HR policies and procedures across the EU.
- Ensure that all employees personal data is now processed under the legal ground of legitimate interest (not consent as that is no longer legally valid under GDPR) and issues a fresh Data Privacy Notice separate from any terms and conditions.
- Ensure that the DPO maintains their level of knowledge, skills and expertise in GDPR by ensuring they have a suitable training and development budget for themselves and those that they appoint to work alongside them.