Coming into force in May 2018, the GDPR will be applicable to all UK organisations and the Government has indicated that it will apply to UK employers. The GDPR places greater obligations on employers to inform employees about how their personal data is processed, as well as, to justify their grounds for doing so. There is only a short time remaining to ensure compliance, so it is critical for HR professionals to undertake an in-depth review of all existing policies and procedures which concern HR data and to assess the implications of the GDPR for them. The significance of the GDPR cannot be underestimated.
Have you got permission?
Under the GDPR an employee is able to withdraw their consent to process personal data as easily as they give it. In light of this, it is unlikely that blanket data protection consent clauses, often seen in employment contracts and policies, will meet the new requirements. To rectify this, HR professionals will need to review the basis blanket clauses relied on for processing employee data and consider whether they are still appropriate.
Update, update, update
In order to satisfy regulations organisations may need to update their employment contracts, including those for existing employees, as well as create consent forms specifically about the GDPR.
In the event of breach, act fast
In the case of a data breach employers must notify the relevant supervisory authority within 72 hours of becoming aware of the situation. Where it is likely to result in a high risk to rights and freedoms, employees must also be notified “without undue delay”. As a result, safeguards to data processing activities will need to be established and clear processes for notifying breaches created.
Training & awareness
Recent judgements by the Information Commissioner have highlighted and punished organisations for the lack of training and awareness about the existing regulations. This is likely to become an ongoing theme, especially in the run up to the introduction of the GDPR. It is essential that organisations consider a comprehensive awareness campaign both with decision makers to prepare for the change and all those having access to personal information. There is an expectation that it is covered in employee onboarding and continual training programmes.
Stakeholder buy-in is a must
In order to comply with the new regime, it is likely significant changes for organisations will be required to ensure there are adequate systems, contractual provisions, and training in place. ‘Buy-in’ from a range of internal stakeholders is going to be essential. With penalties of up to 4% of worldwide turnover or €20m (whichever is greater) in addition to the effects a breach could have on an employer’s reputation, we strongly recommend compliance at all levels to be an urgent priority, particularly for HR professionals.
Requests for information
While subject access requests (SAR) exist in the current legislation there will be a reduced window to respond under the GDPR. It is highly possible that HR teams will be the first port of call for information requests, for example unsuccessful applicants, ex-employees, grievance and termination processes. HR teams need to have a robust and tested process for dealing with requests in the calendar month deadline.
If you're unsure about how the GDPR will impact your organisation or if you need some help getting your head around where to start, please contact email@example.com