The acronym GDPR has been on the lips of many business owners in recent months and with the wide variety of effects on different organisational functions to consider, one may be forgiven for believing it should stand for Good Day to Panic & Run!
But, there’s no need to worry as long as you take steps to put manageable adjustments in place that will ensure your business is compliant with the General Data Protection Regulation by 25th May 2018.
This blog has been put together to specifically help you understand what GDPR means for the HR practices in your business, with the aim of helping ensure you’re anxiety free and ready to go when the deadline arrives.
Why will GDPR affect HR practices?
With increasingly globalised networks and a shift to online communications, GDPR has been put in place to protect the personal data of EU citizens and will apply even though the UK will be leaving the EU, due to the fact that at the time of GDPR coming in to force we will still be part of the EU and are therefore bound by the requirements.
It’s the biggest change to hit how data is regulated in 20 years during which time much has changed. As a data protection regulation, the changes will mean that all organisations will need to review how they handle the data of employees as well as job candidates, ensuring processes are put into place to guarantee compliance. If businesses fail to comply and are found to be in breach of the regulations, they could end up penalised as a result.
A privacy notice is used to inform people how their personal data will be used by an organisation in as transparent and accessible way as possible. In preparation for GDPR, privacy notices must now clearly outline the intended use of data, including detail such as how long the data will be stored, and whether this data is shared with other countries within and outside of the EU. Individuals should also be clearly directed to the organizational process for making a subject access request to view information about them held by the organisation if they wish to do so.
What should you do? Job applicants and interview candidates should be directed to a privacy notice when sending personal information as part of the recruitment process. Privacy notices should also be shared with new and existing employees with regards to their personal employment records.
Protecting the data of your staff
In addition to GDPR rules, it should be considered ethical that companies take full responsibility and ownership when it comes to protecting employee data, how it is kept and ensuring it is not shared. Personal data you may hold about employees and job candidates would more than likely include sensitive information such as home address, date of birth, contact details, and after recruitment, national insurance numbers and bank account details.
What should you do? First and foremost you should review your organisational processes for obtaining, handling and storing CV’s, job applications and employee information. There are many ways you can protect this data including the implementation of encrypted passwords on secure servers and deleting securely any data relating of unsuccessful candidates after a given period of time. If you use outsourced services like payroll or candidate verification, check their compliance with GDPR too. You may also want to consider outsourcing a cyber security procedure and taking out cyber insurance. If you don’t use an HR database yet, this may be worth implementing along with reviewing the need for hard copy HR files.
New breach notification requirement
If there is a breach of data protection, GDPR provides clear guidelines on the action that must be taken after receiving a breach notification. Businesses must inform the Data Protection Agency within 72 hours of a breach, or provide justification in the event of a delay. Businesses must also notify individuals affected by a data breach promptly and directly, particularly if the breach presents a high risk to the data subject’s rights and freedoms.
What should you do? If a breach originates from HR related activity, whoever is responsible in your organisation for HR must liaise with legal or compliance teams immediately. The same person with the organizational HR lead is also likely to play a key role in the management of data breaches affecting employee data that require data subject notification. Businesses must also take action to review internal HR and business policies and procedures.
Right to request, review and be removed
If you currently take a ‘one size fits all’ approach with regard to obtaining consent to hold staff data and to communicate to previous candidates or job applicants, you will probably need to think again. Moving forward “specific, informed and unambiguous” consent must be obtained. Current methods of gaining consent (often via a contract of employment) must be reviewed to eliminate any uncertainty about what data is being collected, its purpose, the length of time consent will remain valid, and the process for withdrawing consent at any time. Individuals will also be able to request at any time, to know what data you hold about them, where it is kept, and how it is used.
What should you do? You must respond to requests and act upon them, so you may want to put in place a procedure that is shared with your senior management team on what to do in the event they get approached by an individual for this information. The likelihood is also, that all current staff members will need new contracts containing updated consent requests.
Consequences for staff of non GDPR compliance
It’s really important that all your staff are aware of this significant change to how data is managed and protected as it will impact on many aspects of your business. In particular they need to understand that data can’t be shared without explicit consent (no matter how good the intention for doing so is) and that there may be serious personal consequences of something like a data breach if it was due to poor data security practices.
What you should do? Identify who needs to be trained, what they need to know and who will do this. Check existing policies to see if they need updating to reflect GDPR. Eg Disciplinary policy to capture Serious data security and/or data breach as gross misconduct. Review all internal communications and current data storage systems. Don’t forget email which can harbor all sorts of highly confidential personal data.
Data Protection Officers
Businesses that handle special categories of data or data relating to criminal convictions and offences (sometimes included on recruitment applications) must have a designated Data Protection Officer (DPO). A DPO is someone who takes on additional responsibilities for implementing processes and monitoring compliance with GDPR and advising individuals and teams on GDPR compliant approaches to data management.
What should you do? It may be worth considering appointing a nominated ‘senior’ member of staff either from within your organisation, or someone external to the company, to act as a DPO for your organisation.
IF YOU WANT ANY HELP OR ADVICE please get in touch with us at Amelore by calling 01453 548070 or emailing firstname.lastname@example.org.