As organisations get ready for the General Data Protection Regulation (GDPR), they need to think about the people closest to home. In other words, when it comes to data law compliance, don’t overlook what it means for your staff – and the role of HR.
Along with new data governance and reporting obligations, the GDPR introduces new and enhanced rights for individuals in key areas such as data access and the right to be forgotten. Businesses need to grasp what this means for the employee/employer relationship and consider what changes will have to be made to stay on the right side of the law.
The upshot? When it comes to GDPR compliance, HR has a central role to play. So, as the new law comes into force, here are the areas for HR managers to focus on.
Why the GDPR is HR’s business
The GDPR gives individuals greater control over what happens to their data – as well as setting out what’s expected of organisations to ensure that individuals can exercise their rights.
This is especially relevant for employee data. After all, in areas such as payroll and salary information, medical records, appraisals, disciplinary records (and much else besides), organisations find themselves in control of sensitive personal data (or special category data as it will be known under the GDPR) as a matter of routine.
HR involves managing the relationship between your organisation and its people. So data management should be seen as part and parcel of this; ensuring that personal data is processed in such a way that the relationship runs smoothly and that your organisation stays on top of the law.
Beyond the employer/employee relationship, you also need to think about your data protection obligations towards job candidates when hiring. For a more detailed look at this aspect of HR, our guide to GDPR and recruitment is definitely worth a read.
What data do you deal with? HR’s role in data mapping
As the first step towards compliance, organisations need to establish what personal data they hold, where it is stored, its purpose, who has access to it, and how data flows in, out and through the organisation.
Our guide to data mapping explains how to take a systematic approach to this. As part of your mapping exercise, all data processing activities conducted throughout the business will need to be mapped. For HR, this likely covers (but is not limited to) the following:
- the logging and storing of personal contact info and bank details;
- payroll information management;
- records of appraisals;
- training & development records;
- communications to/from/concerning the employee;
- absence records and medical records;
- disciplinary records; and
- activity logging and monitoring records.
Defining “lawful processing” from an HR perspective
You must be able to show a legal basis for processing an individual’s data. For the customer data you handle, the relevant ground may be ‘consent’. The GDPR introduces stricter rules on consent. In particular, it must be easy for the data subject to revoke that consent at any time.
For employee data, relying solely on consent is problematic. In theory, it would mean, for instance, that an employee could object to you processing their disciplinary records.
To ensure that your organisation’s register of data processing activities is accurate, you should work out what legal basis for processing applies. Most likely it will be one of the following:
- the processing is necessary in order for you (and your employee) to perform their obligations under the contract of employment; or
- it is necessary to meet a statutory obligation (e.g. regarding health and safety at work or tax obligations).
Establishing a legal basis for particular data processing tasks might seem a legalistic point, but it deserves careful attention by HR for two important reasons:
- Accountability: by maintaining records of your assessment of the correct legal basis for processing, you can show the data regulator that you have properly considered the data rights of your employees in the event that this is queried in the future; and
- it helps reduce the possibility of disputes with current and former staff over the legal basis of data processing.
Accommodating the data rights of individuals
Our resource centre contains easy-to-digest info on the key changes to individual data rights introduced by the GDPR. For a taste of how these new rights impact HR, take a look at the following scenarios:
- An employee emails you, asking for confirmation of the personal data you hold on her and requesting copies of that data.
The GDPR abolishes admin fees for these types of request and also ushers in a tighter time limit of one month for responding (although this can be extended by a further month in the case of complicated requests where lots of data is involved).
HR departments should have a procedure in place for responding to such requests in a timely way, including the ability to flag them up and earmark deadlines. It may also be desirable to organise your HR data estate so that you can identify and isolate all personal data concerning a particular individual with the minimum of effort.
- A former employee asks that you delete all data you hold on her.
The “right to be forgotten” under GDPR isn’t an absolute right. Especially when it comes to employees, you need to consider carefully when and under what circumstances you can delete data.
This also ties in with the principle of storage time limitation – i.e. an appropriate cap on the period you should store data relating to employees. Here, best practice can depend on the category of data. For instance, data relating to tax, NI and related matters should be kept for at least three tax years after an employee’s departure in case of HMRC inspection. For other types of data – such as information on where employees worked, when and the type of work they were doing – it may be prudent to keep hold of records for longer than this (for the purpose of defending possible legal claims). What’s reasonable here may depend on your industry sector. Your employers’ liability insurers should be able to guide you on this.
To get on top of GDPR compliance, HR departments should look carefully at the following areas:
- Communication. For staff and job applicants alike, you will need to draw up appropriate privacy notices – clear explanations of what type of information you will be collecting and processing, what it’s for and what rights they have in relation to this. Our guide to privacy notices contains useful pointers on this.
- Updating legacy systems. Is there an easier, more compliance-friendly way of managing HR data and enabling your people to access their data and exercise their rights? Especially for bigger companies, the GDPR could be just the spur you need to shift away from disparate spreadsheets and towards personnel management software.
- Making compliance easier with the Privacy Compliance Hub. We offer a comprehensive compliance product designed to help your entire organisation – including HR – build, maintain and demonstrate its GDPR compliance.
If you’d like to learn more about the GDPR, data protection and privacy in general, head to our resources here. To discover how the Privacy Compliance Hub can work for your organisation check out our free demo – or get in touch today.