This article forms part of our GDPR series in which Amelore employment experts offer practical advice, ahead of the coming-into-force of the GPDR in May 2018.
The General Data Protection Regulation (the Regulation) represents the most significant shift in European data protection legislation since the Data Protection Directive (enacted in the UK through the Data Protection Act) of the late 1990’s. The Regulation presents a very significant challenge to all data-driven units of modern business, not least human resources (HR).
In this article, we explore the legal and practical challenges the Regulation’s requirements pose to HR.
The GDPR expands the scope of European data protection legislation in both subject matter and territorial application. For the first time data processors (parties who process personal information on behalf of a data controller) will find themselves required to meet direct regulatory obligations. In addition, the Regulation’s intended jurisdiction is no longer restricted to EU-based organisations. The Regulation brings in scope any organisation selling to or monitoring the behaviour of EU citizens. Like much European law, the extent to which the Regulation will see successful enforcement outside of the EU is a developing area.
From a HR perspective, these provisions raise significant considerations for global employers, and providers of virtual HR and HRIS products. For a multinational employer, detailed understanding of global data flows will become an increasingly key. This is especially critical where a centralised storage and database solution manages global (both EU and non-EU group company) HR data. Non-EU group companies, using a shared resource, may find themselves directly affected by the GDPR.
For outsourced HR and recruitment, and HR software providers, the Regulation is set to present a new legal burden. At present, suppliers have, as data processors, enjoyed liability limited only to contractual arrangements with data controllers. Under the Regulation such processors will be required to comply directly with GDPR and by extension, face direct liability (and the same fine thresholds as data controllers under certain circumstances).
Regulatory fines under the GDPR are set to increase well beyond the ICO’s current enforcement ceiling of £500,000, representing a fundamental shift in risk profile for UK organisations.
That said, the Regulation grants Data Protection Authorities significant discretion as to whether and the extent to which fines will be imposed on an organisation, in the event of a breach.
In addition, the fine parameters are set against a two tier system to account for the comparative seriousness of different breaches.
From a HR perspective, it is critical for organisations to consider whether existing policies and procedures lack GDPR compliance, especially where time limits may be a factor, e.g. in relation to breach notification (see below).
The Regulation mandates a host of required information, which a data controller must provide to an individual data subject at the point at which personal data is collected. Non-exhaustively, these include details of:
These mandatory requirements present employer challenges both in relation to the employee/employer relationship and in the context of job applicant data.
Employers must consider whether existing employee and applicant notices meet GDPR requirements and consider how clarity and accessibility of notices can be ensured.
The Regulation significantly enhances the rights of data subjects, which will in turn present greater compliance obligations for employers.
Areas which face significant change include:
The Regulation introduces dramatically enhanced requirements in relation to breach notification.
In summary a data controller:
For HR, this presents a two-fold challenge. Should a breach originate within HR itself, effective co-ordination between HR and an organisation’s legal and/or compliance teams is likely to prove critical (especially when considering the tight timeframe for response). In addition, should the breach affect employee data and require data subject notification, HR is likely to play a key management role. Ensuring compliance will likely require a complete review of internal policies and procedures, with a particular focus on efficient internal communications. Data processors are also required to report breaches to data controllers.
A change HR is likely to feel very directly is in relation to the use of consent as grounds for processing employee personal data. Non–specific consents to processing are unlikely to be considered valid under the GDPR.
Practical steps to compliance
The following are likely to prove critical risk management steps:
Our next article will look at how to conduct a gap analysis and a wider data protection audit.
The GDPR clearly represents a significant compliance hurdle. Employer’s must therefore maintain an awareness of developments at a national level, especially in relation to equality, recruitment and health and safety provisions.
Employers should however take some comfort that some element of harmonisation between EU data protection law and the UK’s eventual domestic position will be desirable. Compliance with the GDPR’s requirements, will likely be the most efficient way for organisations to futureproof.
This document is for informational purposes only and does not constitute specific advice. It is recommended that specific professional advice is sought in relation to your situation and organisation before acting on any of the information given.