MEMBER BULLETIN – Getting ready for GDPR, an HR perspective

November 27, 2017

The GDPR will apply to all organisations that are based in, or do business in, the EU, irrespective of their size or sector. It aims to replace the different data protection laws and reporting requirements across Europe with a single set of data protection regulations which will apply to all EU member states in the same way.

So, a single set of rules will also apply to competitors based outside of the EU that provide services to individuals in the EU or monitor EU data subjects. As the GDPR is a regulation rather than a directive, it will apply directly in member states without any additional national legislation.

Data protection laws aim to protect the privacy of individuals whilst giving businesses the right to use that data but our previous Data Protection Directive dates from 1995 – and so was set in a different technological context to today’s online world. Many tools and devices that are commonly used today (such as smartphones, fitness trackers, sat navs) did not exist when the first Directive was written.

GDPR and Brexit

Even though the UK has voted to leave the EU, we will still be a member in May 2018, and therefore must comply until such time as we do leave.  Any UK organisation that has part of its operation within the EU will have to continue to abide by this regulation, and any other organisations that wish to continue to trade with our EU neighbours will need to continue to comply with the rules that affect their data processing.

What does the GDPR aim to do?

In many respects, the GDPR is similar to our current Data Protection Act, in that it aims to ensure that personal data is only sourced and processed for a legitimate purpose, is not kept beyond this and is stored securely.  But it reflects more recent developments, such as social media, internet sales, mobile data, cloud storage and the increased ability to combine two or more datasets to create personal data. It also places greater emphasis on the documentation that data controllers must keep to demonstrate their accountability.  It is written with internet consumer data protection in mind, but covers the processing of all personal data, so it also affects employee data and the way we keep our HR records.

In summary, the GDPR aims to ensure:

  • Increased transparency– individuals should know how their data is being used
  • Increased accountability– processors must be able to demonstrate their compliance
  • Enhanced rights of data subjects– including a “right to be forgotten “and to make free subject access requests
  • Freely given consent– consent to process personal data needs to be explicit, specific, unconditional and capable of being easily withdrawn
  • Data security– organisations must be able to demonstrate that data is collected only as necessary and only accessed as appropriate and is kept securely
  • Prompt reporting of serious breaches– processors must report appropriate breaches to the relevant supervisory authority and also, in some cases, to the individual(s) affected
  • Increased fines for non-compliance– up to 20 million euros or 4% of global turnover.

Core principles

The core principles remain largely unchanged, i.e. personal data should be:

  • Processed lawfully, fairly and in a transparent manner
  • Collected for a specified explicit and legitimate purpose
  • Adequate, relevant and limited to what is necessary and kept for no longer than necessary
  • Accurate and up to date
  • Kept securely.

What are the main risks?

The possible fines for serious breaches are now huge and could potentially put firms out of business.  It is also likely that the removal of the £10 fee for subject access requests (SARs) may result in many more such requests.  Failure to follow good practice in data storage or retention and to have a proper process for dealing with SARs may result in costly action, as well as much administrative time.  Companies that retain data for marketing purposes are going to have to take special care that they are not breaching the consent rules, and organisations that process lots of personal data (such as recruitment agencies, executive search etc) will need to be particularly careful, especially given the increased risk of SARs from disaffected candidates.

The recent security breach within the NHS raised public awareness of the issue of data protection – nearly 100 countries are thought to have been affected by the ransomware cyber attack which crippled the NHS, and disrupted banks and telecommunications companies globally. Ransomware is a virus which can take over any device or computer and freezes its files. Hackers then use it to hold the recipient to ransom, asking for money in return for access to their documents.

Information sent internationally

Some specific categories which will not necessarily apply to all companies need to be considered, for example regarding information sent internationally. If you operate in more than one EU member state, then you will need to determine your “lead data protection authority”. This applies if you have establishments in more than one EU member state or you have a single establishment in the EU, but carry out processing which substantially affects individuals in other EU states. Your lead DPA will be the supervisory authority in the state where your main establishment is, i.e. where your organisation makes its most significant decisions about its processing activities.  With any international data transfers it will be important to ensure that there is a legitimate basis for transferring personal data to places that do not have adequate data protection regulation. Internal rules may be needed to facilitate intra-group transfers of data.

Actions to take

Employers that have always taken data protection seriously, who rigorously prune their records and have tight security levels in place, may find that any necessary changes are minimal, but many of us are aware of at least some weaknesses in our systems – either we retain information for longer than is necessary, or we may use it for purposes other than that which it was provided, or we know that employees are not as strict with security and password control etc as our policies suggest they should be. So perhaps this is a good opportunity to really assess what data we are keeping, for what reasons, for how long, how secure it is and whether we dispose of it securely.

Some key actions to take are:

  1. Assign responsibilities and set up a working party
  2. Audit what personal data is kept, by whom, why, where it came from and where it is stored
  3. Assess the basis on which you are lawfully processing the data and whether you have the requisite consent
  4. Consider your data security
  5. Consider how you will deal with subject access requests
  6. Consider your pre-recruitment checks
  7. Train your employees and check their equipment
  8. Consider any outsourcing/partnership arrangements
  9. Check your documentation
  10. Monitoring and review
  11. Notifying breaches

Sign up for the webinar here: