The General Data Protection Regulation (GDPR) represents a series of extensive and (in part) complex changes that businesses will need to incorporate and keep under review from 25 May 2018. Implementation will require several parts of the business working together to ensure that all aspects of data storage and processing within the business is GDPR ready.
Failures could now result in significant financial penalties.
Given the scope of GDPR, businesses should be undertaking an impact assessment and drawing up a project plan which will require working groups that are cross departmental to address each aspect of data processing (i.e. IT, HR, Finance, Sales, Marketing).From a HR and employee data perspective the issues that HR professionals will need to consider as part of the overall project plan will include:
1. Employee Consent
Employers should no longer rely on the type of passive consent that is currently common in standard employment contracts and so should update new employment contract templates.
To process employee data, the employer should not rely on an employee’s blanket consent requirements, and instead rely on one of the other ‘other conditions for processing data’ such as ‘performance of a contract’, ‘legal obligation’ or ‘legitimate interests’.
Informed and proactive consent might be needed if the processing of employee data is required for a specific purpose other than the purpose of general employment.
2. Update Policies and Procedures
Employer’s will need to review their Data Protection Policy (which will require important amendments) as well as wider policies that connect to the various aspects of data compliance including the Whistleblowing Policy, Code of Conduct, Electronic Communications Policy, IT Policy and Home Working Policy.
3. Training Programme
Employees will need to understand GDPR and how it applies to them in practice. Delivery of the implementation will need to be supported by a comprehensive training programme that is ongoing, regularly updated and regularly attended by relevant staff.
4. Breach Response
HR ought to contribute and be a part of the business’s breach response plan. Many data issues – such as data leaks – will commonly come to HR first as they are almost always related to employees in some way.
5. Subject Access Requests
The rules on responding to subject access have changed and so HR need to familiarise themselves with the new regime in anticipation of receiving a request post May 2018.
6. Impact assessment and Project Plan
HR should be represented on the working groups tasked with identifying risk factors, impact and finalising the project plan.
Chris is a Senior Associate in the Commercial Team and Head of Data Protection and Privacy. Chris specialises in data protection and privacy, regularly advising clients on national and international data protection matters.