GDPR and HR practices – IN A NUTSHELL

The acronym GDPR has been on the lips of many business owners in recent months and with the wide variety of effects on different organisational functions to consider, one may be forgiven for believing it should stand for Good Day to Panic & Run!

But, there’s no need to worry as long as you take steps to put manageable adjustments in place that will ensure your business is compliant with the General Data Protection Regulation by 25th May 2018.

This blog has been put together to specifically help you understand what GDPR means for the HR practices in your business, with the aim of helping ensure you’re anxiety free and ready to go when the deadline arrives.

Why will GDPR affect HR practices?

With increasingly globalised networks and a shift to online communications, GDPR has been put in place to protect the personal data of EU citizens and will apply even though the UK will be leaving the EU, due to the fact that at the time of GDPR coming in to force we will still be part of the EU and are therefore bound by the requirements.

It’s the biggest change to hit how data is regulated in 20 years during which time much has changed.  As a data protection regulation, the changes will mean that all organisations will need to review how they handle the data of employees as well as job candidates, ensuring processes are put into place to guarantee compliance.   If businesses fail to comply and are found to be in breach of the regulations, they could end up penalised as a result.

Privacy Notices

A privacy notice is used to inform people how their personal data will be used by an organisation in as transparent and accessible way as possible. In preparation for GDPR, privacy notices must now clearly outline the intended use of data, including detail such as how long the data will be stored, and whether this data is shared with other countries within and outside of the EU. Individuals should also be clearly directed to the organizational process for making a subject access request to view information about them held by the organisation if they wish to do so.

What should you do? Job applicants and interview candidates should be directed to a privacy notice when sending personal information as part of the recruitment process. Privacy notices should also be shared with new and existing employees with regards to their personal employment records.

Protecting the data of your staff

In addition to GDPR rules, it should be considered ethical that companies take full responsibility and ownership when it comes to protecting employee data, how it is kept and ensuring it is not shared. Personal data you may hold about employees and job candidates would more than likely include sensitive information such as home address, date of birth, contact details, and after recruitment, national insurance numbers and bank account details.

What should you do?  First and foremost you should review your organisational processes for obtaining, handling and storing CV’s, job applications and employee information. There are many ways you can protect this data including the implementation of encrypted passwords on secure servers and deleting securely any data relating of unsuccessful candidates after a given period of time. If you use outsourced services like payroll or candidate verification, check their compliance with GDPR too. You may also want to consider outsourcing a cyber security procedure and taking out cyber insurance. If you don’t use an HR database yet, this may be worth implementing along with reviewing the need for hard copy HR files.

New breach notification requirement

If there is a breach of data protection, GDPR provides clear guidelines on the action that must be taken after receiving a breach notification. Businesses must inform the Data Protection Agency within 72 hours of a breach, or provide justification in the event of a delay. Businesses must also notify individuals affected by a data breach promptly and directly, particularly if the breach presents a high risk to the data subject’s rights and freedoms.

What should you do? If a breach originates from HR related activity, whoever is responsible in your organisation for HR must liaise with legal or compliance teams immediately. The same person with the organizational HR lead is also likely to play a key role in the management of data breaches affecting employee data that require data subject notification. Businesses must also take action to review internal HR and business policies and procedures.

Right to request, review and be removed

If you currently take a ‘one size fits all’ approach with regard to obtaining consent to hold staff data and to communicate to previous candidates or job applicants, you will probably need to think again.  Moving forward “specific, informed and unambiguous” consent must be obtained. Current methods of gaining consent (often via a contract of employment) must be reviewed to eliminate any uncertainty about what data is being collected, its purpose, the length of time consent will remain valid, and the process for withdrawing consent at any time. Individuals will also be able to request at any time, to know what data you hold about them, where it is kept, and how it is used.

What should you do?  You must respond to requests and act upon them, so you may want to put in place a procedure that is shared with your senior management team on what to do in the event they get approached by an individual for this information. The likelihood is also, that all current staff members will need new contracts containing updated consent requests.

Consequences for staff of non GDPR compliance

It’s really important that all your staff are aware of this significant change to how data is managed and protected as it will impact on many aspects of your business.  In particular they need to understand that data can’t be shared without explicit consent (no matter how good the intention for doing so is) and that there may be serious personal consequences of something like a data breach if it was due to poor data security practices.

What you should do? Identify who needs to be trained, what they need to know and who will do this. Check existing policies to see if they need updating to reflect GDPR. Eg Disciplinary policy to capture Serious data security and/or data breach as gross misconduct.  Review all internal communications and current data storage systems. Don’t forget email which can harbor all sorts of highly confidential personal data.

Data Protection Officers 

Businesses that handle special categories of data or data relating to criminal convictions and offences (sometimes included on recruitment applications) must have a designated Data Protection Officer (DPO). A DPO is someone who takes on additional responsibilities for implementing processes and monitoring compliance with GDPR and advising individuals and teams on GDPR compliant approaches to data management.

What should you do? It may be worth considering appointing a nominated ‘senior’ member of staff either from within your organisation, or someone external to the company, to act as a DPO for your organisation.

 IF YOU WANT ANY HELP OR ADVICE please get in touch with us at Amelore by calling 01453 548070 or emailing ruthcornish@amelore.com.

GDPR – Managing HR & Payroll records

As preparations for GDPR continue, All employers must be aware of which employee data is covered by the Data Protection Act and have a specific policy on the retention times for particular types of employee data.

As a general rule, information should only be retained as long as there is a clear business need for it and it should be securely destroyed (e.g. by shredding) after that period has passed.

Minimum retention times for employee data are as follows:

  1. Salary Records and Deductions

Records to be retained: Employers must collect and keep records of what they pay their employees and the deductions made, including a record of employee leave and sickness absence (see below).

Retention period: Three years after the end of the tax year to which the records relate. If full records are not kept, HM Revenue and Customs (HMRC) may estimate what the employer has to pay and charge a penalty of up to £3,000.

  1. Incapacity for Work

Records to be retained: Employers should keep Statutory Sick Pay (SSP) records (calculations, certificates, self-certificates: all sickness periods lasting at least four days; statutory sick pay (SSP) payments; and weeks for which SSP was not paid and why.

Retention period: Three years after the end of the tax year in which the sickness periods occurred and SSP payments were made.

  1. Working Time

Records to be retained: Records that are adequate to show that the requirements of the Working Time Regulations are being/have been met e.g. the limits on weekly working time, daily and weekly working time for young workers, and night work.

Retention period: Two years from the date on which the records were made.

  1. National Minimum Wage

Records to be retained: Records that are adequate to establish that every worker is being, or has been, paid at a rate at least equal to the National Minimum Wage.

Retention period: Three years from the day the pay reference period immediately following that to which the records relate ends.

  1. Absence during Pregnancy and Statutory Maternity Pay (SMP)

Records to be retained:

  • the date of an employee’s first day of absence from work, wholly or partly because of pregnancy or childbirth and, if different, the date of the first day when such absence commenced;
  • the weeks in that tax year in which Statutory Maternity Pay (SMP) was paid to that employee and the amount paid in each week;
  • any week in that tax year within the employee’s maternity pay period for which no payment of SMP was made (and the reasons why); and
  • any medical certificate or other evidence relating to the employee’s expected week of childbirth.

Retention period: Three years after the end of the tax year in which the employee’s maternity pay period ended.

  1. Statutory Paternity Pay, Statutory Shared Parental Pay and Statutory Adoption Pay

Records to be retained:

  • the date the paternity pay period, shared parental pay period or adoption pay period began;
  • the evidence provided by the employee in support of his or her entitlement to statutory paternity pay (SPP), statutory shared parental pay (ShPP) or statutory adoption pay (SAP);
  • the weeks in that tax year in which payments of SPP, ShPP or SAP were made and the amount paid in each week; and
  • any week in that tax year which was within the employee’s paternity pay period, shared parental pay period or adoption pay period but for which no payment was made (and the reasons why).

Retention period: Three years after the end of the tax year in which payments of SPP, ShPP or SAP were made.

  1. Employee HR files

Records to be retained:  HR files, including employee contracts.

Retention period: Six years after the employment terminates. This takes into account that there is the possibility that any documents relating to an employee could be relevant to a Tribunal, County Court or High Court claim, for up to six years after termination of employment. The Information Commissioner considers this as acceptable on the basis that an employer is keeping information to protect against legal risk.

  1. Job Applications

Records to be retained: CVs/application forms and interview records of unsuccessful candidates.

Retention period: Six months after notifying unsuccessful candidates of the outcome of their application. This takes into account the fact that a job applicant can bring a claim for discrimination in an Employment Tribunal within three months from the date of the rejection for the role, but also that this time limit can be extended where a Tribunal feels it is just and equitable to do so.

  1. Accident Records

Records to be retained: Records of accidents in the workplace.

Retention period: At least three years from the date on which the accident record was made.

Accident records are considered sensitive data and so employers must ensure that the personal information involved is not seen by other members of staff.

GDPR (what you need to know) part 3

This article forms part of our GDPR series in which Amelore employment experts offer practical advice, ahead of the coming-into-force of the GPDR in May 2018.

The General Data Protection Regulation (the Regulation) represents the most significant shift in European data protection legislation since the Data Protection Directive (enacted in the UK through the Data Protection Act) of the late 1990’s. The Regulation presents a very significant challenge to all data-driven units of modern business, not least human resources (HR).

In this article, we explore the legal and practical challenges the Regulation’s requirements pose to HR.

Scope

The GDPR expands the scope of European data protection legislation in both subject matter and territorial application. For the first time data processors (parties who process personal information on behalf of a data controller) will find themselves required to meet direct regulatory obligations. In addition, the Regulation’s intended jurisdiction is no longer restricted to EU-based organisations. The Regulation brings in scope any organisation selling to or monitoring the behaviour of EU citizens. Like much European law, the extent to which the Regulation will see successful enforcement outside of the EU is a developing area.

From a HR perspective, these provisions raise significant considerations for global employers, and providers of virtual HR and HRIS products. For a multinational employer, detailed understanding of global data flows will become an increasingly key. This is especially critical where a centralised storage and database solution manages global (both EU and non-EU group company) HR data. Non-EU group companies, using a shared resource, may find themselves directly affected by the GDPR.

For outsourced HR and recruitment, and HR software providers, the Regulation is set to present a new legal burden. At present, suppliers have, as data processors, enjoyed liability limited only to contractual arrangements with data controllers. Under the Regulation such processors will be required to comply directly with GDPR and by extension, face direct liability (and the same fine thresholds as data controllers under certain circumstances).

Fines

Regulatory fines under the GDPR are set to increase well beyond the ICO’s current enforcement ceiling of £500,000, representing a fundamental shift in risk profile for UK organisations.

That said, the Regulation grants Data Protection Authorities significant discretion as to whether and the extent to which fines will be imposed on an organisation, in the event of a breach.

In addition, the fine parameters are set against a two tier system to account for the comparative seriousness of different breaches.

From a HR perspective, it is critical for organisations to consider whether existing policies and procedures lack GDPR compliance, especially where time limits may be a factor, e.g. in relation to breach notification (see below).

Privacy Notices

The Regulation mandates a host of required information, which a data controller must provide to an individual data subject at the point at which personal data is collected. Non-exhaustively, these include details of:

  • the legal basis upon which personal data will be processed;
  • how long personal data will be retained;
  • if, and the extent to which, personal data will be transferred overseas, and, in the event that personal data will be transferred outside of the EEA, the appropriate safeguards in place to protect that data; and
  • the mechanism by which an individual would make use of their data subject rights, including:
    • how to make a subject access request; and
    • how to request the deletion or rectification of personal data.

These mandatory requirements present employer challenges both in relation to the employee/employer relationship and in the context of job applicant data.

Employers must consider whether existing employee and applicant notices meet GDPR requirements and consider how clarity and accessibility of notices can be ensured.

Employee Rights

The Regulation significantly enhances the rights of data subjects, which will in turn present greater compliance obligations for employers.

Areas which face significant change include:

  • the information to be provided to data subjects, in response to a subject access request – we will address this is in detail later in the series.
  • the Regulation mandates a more detailed set of information be provided to a data subject, particularly in relation to the purpose and means by which personal data is processed.
  • data rectification rights(in circumstances in which data held about a data subject is inaccurate or incomplete) – in some respects rectification rights remain unchanged under the Regulation. However, data controllers will now face a mandatory obligation to notify other third parties in the event that data is amended in response to a data subject request. Employers should be prepared to notify any third parties to which employee data has been transferred and consider how they might implement procedures to action this obligation in practice; and
  • the right to be forgotten– this new right presents a potentially significant practical challenge for employers, particularly where employee personal data is backed-up in somewhat inaccessible or complex systems. Much like rectification rights, a data subject’s right to have their personal data deleted on request should prompt all employers to consider how this would be practically achieved.

Breach Notification

The Regulation introduces dramatically enhanced requirements in relation to breach notification.

In summary a data controller:

  • must notify the relevant DPA within 72 hours of becoming aware of a breach, unless it can provide justification for a delay; and
  • is required to notify data subjects affected by a breach directly, without undue delay, if the breach is likely to present a high risk to the individual’s rights and freedoms.
  • This is tempered by exceptions, such as where the personal data is encrypted. Under these limited circumstances, controllers may be spared the obligation to notify data subject directly.

For HR, this presents a two-fold challenge. Should a breach originate within HR itself, effective co-ordination between HR and an organisation’s legal and/or compliance teams is likely to prove critical (especially when considering the tight timeframe for response). In addition, should the breach affect employee data and require data subject notification, HR is likely to play a key management role. Ensuring compliance will likely require a complete review of internal policies and procedures, with a particular focus on efficient internal communications. Data processors are also required to report breaches to data controllers.

Employee Consent

A change HR is likely to feel very directly is in relation to the use of consent as grounds for processing employee personal data. Non–specific consents to processing are unlikely to be considered valid under the GDPR.

Practical steps to compliance

The following are likely to prove critical risk management steps:

  • comprehensive gap analysis and business wide data protection audits;
  • a full review of internal and external policies, procedures, templates and information notices;
  • consideration of consent alternatives; and
  • consideration of (potentially mandatory) data protection officer appointment, and instruction of external legal/ compliance support.

Our next article will look at how to conduct a gap analysis and a wider data protection audit.

Looking forwards

The GDPR clearly represents a significant compliance hurdle. Employer’s must therefore maintain an awareness of developments at a national level, especially in relation to equality, recruitment and health and safety provisions.

Employers should however take some comfort that some element of harmonisation between EU data protection law and the UK’s eventual domestic position will be desirable. Compliance with the GDPR’s requirements, will likely be the most efficient way for organisations to futureproof.

Disclaimer

This document is for informational purposes only and does not constitute specific advice. It is recommended that specific professional advice is sought in relation to your situation and organisation before acting on any of the information given.

GDPR – Employee record keeping and beyond

In a series of blogs, Amelore begin to look at GDPR from a HR perspective to ensure employers are ready for the new requirements in respect of their employee data and beyond. This will form part of a continuous focus on this hot topic until May 2018 when GDPR goes live. We appreciate many companies may not yet of begun their GDPR journeys, so we will be offering advice and guidance in short blogs.  We will also help to signpost employers to useful information which extends beyond the processing of employee data.

GDPR is itself an extension of existing UK data protection laws. This new legislation builds on the Data Protection Act (DPA) which employers already need to adhere to. DPA principles cover areas such as ensuring employers keep accurate, secure information.

The ICO (Information Commission’s Office) are at the forefront of helping organisations understand this evolution of our data protection laws. They recently published GDPR Myths. This series of blogs helps to demystify the new regulations.

Data breach – what an employer needs to do?

In ICO’s latest blog they provide valuable advice and guidance on how employers need to respond if a data breach occurs. They report that some employers have expressed concern that any data breach needs to be reported and that huge fines will ensue. The ICO say this is not the case and that only breaches that are likely to risk people’s rights and freedoms will need to be reported.

The ICO also point out that fines will be proportionate and that companies who are open, honest and report without undue delay can avoid fines. It is expected that by now, larger organisations will already have appointed a Data Protection Officer (DPO). However, smaller organisations are also advised to consider who in their organisation is responsible for data. We would advise all organisations, no matter how small, to know who is responsible for data (again not just employee data) and who is responsible for reporting a breach should it occur. This starts to form a robust approach to data governance.

Employee data processing

Employee data processing will be a key focus for many organisations, however some employers may be worried about any potential changes to how they currently store their data.

All organisations will be storing employee records in some way, shape or form; so you are now advised to review these filing systems, including the security of the data you are processing in respect of employing people, to ensure robustness. We have already observed some organisations writing to their third-party data processers asking for evidence of their compliance.

Handlers of this data need to make sure they are processing data fairly and for legitimate purposes. Furthermore, if they are transferring it outside of the EEA there are specific safeguards in place.

For those employers wondering if the UK’s exit from the EU will affect GDPR the government has already confirmed it will not. However, please note that International companies operating across EU states will need to work out who their lead data protection supervisory board is.

Further still, forming a data protection working party or project team to audit what data is being processed is also advisable. Many companies are already helping organisations with data mapping and auditing. Amelore work closely with Mazars to provide a range of services for our clients.

In summary, the good news is that common sense does prevail and that the processing of data where it is necessary for the performance of a contract will be a valid reason for processing. If you have any queries or questions in relation to any of the points made please contact Amelore for further advice and guidance.

We will continue to focus on this topic as we approach next year tackling other aspects of the GDPR (link to first blog) in further detail; such as consent, the right to be forgotten, and subject access requests.