3. Introduction to GDPR for HR

Introduction

Any organisation that employs people will need to consider GDPR (General Data Protection Regulation) for HR.  Your employees are ‘data subjects’ and therefore their personal data must be managed in line with GDPR (in order to avoid potential fines, claims and reputational damage).  GDPR is also about good housekeeping.

GDPR requires you to identify the legal basis for keeping employee details and to provide information to employees about how you keep their data (e.g. in privacy statements). You also need to consider who has access, general security, how long you keep data and whether it is sent to any third parties etc.

Employees also have rights under GDPR.

What is GDPR?
 
GDPR is about Data Protection and came into force on 25th May 2018, replacing the Data Protection Act 1998.  Every business needs to be aware of this and comply.
 
GDPR stands for the General Data Protection Regulation. GDPR was introduced by the European Union to strengthen the laws surrounding data protection (and personal data). The Data Protection Act 2018 is the UK's implementation of GDPR and tailors how GDPR applies in the UK.
 
GDPR will cover every area of a business, as it will apply to all personal data held on a 'data subject'. This includes data you hold on your clients, prospects, suppliers and of course your employees.
 
GDPR brings the law up-to-date and more in-line with current technologies. Quite simply, back in 1998 (when the Data Protection Act came in), technology was completely different. Computers were in their infancy, no-one shopped 'online' and no-one had heard of Facebook! In the years since the Data Protection Act, technology has changed our world beyond recognition - and so the law surrounding personal data needed to be updated.
 
However, GDPR is not confined to digital data. It also covers good old-fashioned paper files and data kept in your filing cabinets or desk drawers!
 
GDPR also brings much tougher fines. Up to 4% of annual turnover or 20 million Euros in the event of a serious data breach or non-compliance. It also gives individuals a much greater say over how their personal data is used and stored by an organisation. 
 
To comply with GDPR you need to have an understanding of the key principles and rights. To start with, here is an easy road map to help with navigating towards GDPR compliance for HR (i.e. employee data):
 
1.    Understand the key principles of GDPR and the rights granted to data subjects (from an HR aspect, these are your employees). 
2.    Understand what data you keep and process (create a register of the data you keep). You also need to know who has access to data, where you keep it, why you keep it and for how long.
3.    You can then compare what you currently do against the principles and rights and make changes to your working practices, policies and procedures as appropriate.
4.    Identify an acceptable legal basis for keeping the data (as set out in the GDPR). 
5.    You also need to know what you will do if there is a breach to make sure this is recorded and reported correctly.
6.    Finally - keep everything under review - check that any changes to working practices and new policies are being adhered to, so you remain compliant. This will include making all employees aware (e.g. through training) about GDPR.

Consent
 
Under the Data Protection Act 1998 everyone relied on consent to process employee data. In most contracts of employment there would have been a 'data protection' clause that confirms that an employee is giving their consent. You cannot continue to rely on this under GDPR.
  
Firstly, if you do use consent it needs to be clear and will require a positive opt-in.  You cannot rely on implied consent and can no longer just include a general clause in the contract of employment to cover consent!
 
But the real problem with consent is that employees have the right to withdraw their consent. So just think what might happen if you are relying on consent in some areas. For example, if you rely on consent to keep bank details and consent is withdrawn, how will you pay someone?
 
Where possible we would recommend you find a legitimate basis other than consent.  In the majority of areas you will have a legitimate basis for keeping and processing employee data (see the example GDPR policy).
 
Consent may be appropriate in exceptional circumstances, for example if you are using photos of employees on your Company website.
 
An important note about data breaches
The majority of breaches will be the result of some human intervention. So, while IT security is important, it is just as important, if not more, to raise awareness of GDPR among your employees. If they can relate to GDPR  (e.g. how would they feel if their personal data was used inappropriately or if sensitive data was not secure, if someone committed fraud using their personal data, like taking out loans or shopping on Amazon using their details?) then they are more likely to consider how they handle personal data for others. This cultural change is probably the most effective way to ensure you comply with GDPR.