With only a few weeks to go until the General Data Protection Regulation ("GDPR") becomes directly applicable on 25 May 2018, many organisations are entering a crucial period as they seek to 'upgrade' their privacy & data protection standards to meet new and enhanced legal requirements.
At its core, the GDPR dramatically heightens expectations on businesses in the way that they manage, use, store, secure and otherwise process personal data. Clearly, HR and Talent functions act as the custodians of significant volumes of often sensitive or confidential personal data within any organisation, and must therefore take centre stage as this new and demanding law bites.
It may be easy or tempting to think of the processing of employee, applicant and contractor information as having less priority than other areas of the business. However, the GDPR – and its significantly enhanced penalties (including administrative fines of up to 4% of an undertaking's worldwide turnover or EUR 20 million (whichever is higher)) for non-compliant organisations – does not hold these categories out as deserving of more lenient rules. Works councils and members of staff are often the source of issues raised directly with companies and also with regulators. The risk of penalties will also be enhanced by the prospect of vicarious liability for employers and this could stem from a seemingly minor data breach by an employee in the 'course of employment'. HR functions that remain unsure how the new rules will affect their activities and obligations should act now.
To assist businesses with their HR-specific GDPR compliance programmes, we have identified – at a high level – a number of key action points in the checklist below, as split between eight prominent GDPR themes. We have experience in each of these areas and would be happy to help guide your business through these challenging new requirements.
Individuals engaged by any organisation (whether employees, contractors, applicants, interns or volunteers, for example) need to be provided with more detailed, granular and accessible information setting out how their personal data is used. This is commonly set out in a 'privacy notice' and must be provided to individuals at the outset of any relationship and updated regularly. Key compliance steps will include:
- Review / update employee and applicant-facing privacy notices to meet detailed information requirements.
- Implement procedures to ensure notices are provided on time, updated in line with new processing activities and version control records are kept.
- Consider the introduction of tailored notices for specific, or risky, processing activities, such as background checks and the provision of certain benefits.
2. Individual rights:
Organisations will need to be aware of enhanced individual rights of access (under a refined data subject access regime), objection and rectification, as well as new rights to data portability, restriction and erasure. HR teams must be able to recognise and deal with individual requests within strict deadlines. The following will assist with this:
- Introduce business-facing, practical guidance and training modules on recognising and responding to individual data protection requests under the GDPR.
- Work with IT / Tech teams to conduct system testing and ensure ability to properly respond to the exercise of each individual right at both technical and practical levels.
- Implement formal retention periods for particular categories of HR data and conduct data cleansing exercises in accordance with these limits.
3. Legality of processing:
The processing of personal data for each identified HR purpose must be justified on at least one of a number of strictly prescribed legal grounds. The days of relying on employee consent, which will be harder to justify and is unattractive given rights to withdraw consent must be honoured, in the context of an employment relationship, are over. Alternative legal grounds, such as reliance on an organisation's 'legitimate interests' or contractual necessity, will be required instead. Businesses should, at minimum:
- Audit and allocate specific GDPR-compliant legal grounds to all identified HR data processing activities and purposes, including those involving special categories of (i.e. sensitive) personal data.
- Document valid legal grounds within privacy notices and, where possible or required under local laws, an organisation's record of processing activities.
- Update policy and contractual documentation (including employment contacts) to remove reference to employee consent as an applicable legal basis for processing.
4. Data quality and minimisation:
Businesses must be able to demonstrate 'data protection by design and default' within internal systems, so that the concept of data minimisation (whereby the minimum amount of data is retained for the shortest possible period) is central within HR functions. This can be achieved through a combination of technical, organisational and practical measures, such as the following:
- Introduce clear guidance and reporting frameworks to assess and approve the necessity and scope of all new or amended HR data processing initiatives.
- Formalise clear HR data retention limits (both internally and with vendors) and co-ordinate with IT to ensure internal implementation on a technical level.
- Draft business-facing guidance to ensure planned and / or current 'risky' processing activities are identified and subject to a GDPR compliant Data Protection Impact Assessment ("DPIA") (see point 8 below).
- Consider whether the organisation needs to appoint a formal Data Protection Officer ("DPO") under the GDPR, or alternatively whether the appointment of dedicated privacy specialists whose job specification is clearly not that of a GDPR "DPO" can be justified. As the GDPR requires that a DPO acts independently and is not dismissed or penalised for performing their tasks, it is important to understand the implications of such appointment.
5. Data sharing:
Where HR data is shared within a corporate group (such as on a HR IT platform or in the course of carrying out specific investigations or redundancy exercises), or with external service providers (such as those offering hosting platforms, employee database management products or facilitating benefits / payroll administration) organisations will need to implement new practical and contractual arrangements with each recipient to ensure they will handle the data properly. The following steps would be sensible, at a minimum:
- Audit intra-group flows of personal data, classify potential recipients (i.e. data controller or processor) and implement enhanced data sharing agreements in line with GDPR duties.
- Map personal data flows to external HR vendors, undertake a classification exercise (as immediately above) and update written service contracts to reflect new requirements.
- Enhance any formal on-boarding process for vendors to include both privacy 'classification' and 'vetting' assessments (i.e. whether they can comply with their data protection obligations in practice). Schedule regular reviews.
- Ensure that data transfer obligations are met (see point 6 below).
6. Data transfers:
Whilst the GDPR does not fundamentally change requirements relating to the transfer of personal data across borders, organisations reassessing their data sharing arrangements (as above) would be sensible to use this opportunity to consider the continued adequacy of their current international transfer mechanisms, including Standard Contractual Clauses ("SCCs"), Binding Corporate Rules and the EU-US Privacy Shield. HR functions should focus on:
- Mapping international flows of HR data (both internal and external), bearing in mind that merely accessing information abroad constitutes a transfer for data protection purposes.
- Ensuring that where personal data is transferred outside the EEA, or another jurisdiction subject to an EU Commission adequacy decision, each potential recipient (whether a group entity or external third-party) is covered by a valid data transfer mechanism.
- Implement and maintain a 'living' database (possibly as part of a formal 'record of processing activity', see point 8 below) of personal data recipients and corresponding data transfer mechanisms, which can be provided to individuals on request.
7. Data breaches:
The GDPR raises the stakes in respect of personal data security, not least because of its significantly increased potential fines and sanctions should data breaches occur. Organisations will need to be able to quickly recognise, isolate, mitigate and respond to security incidents in line with a formal procedure, and report certain breaches to their regulator (within 72 hours) and / or individuals. HR functions and individual business units must be aware that the term 'data breach' is not limited to malicious hacking; misplaced hard-copy personnel files and erroneous email recipients can be covered too. Breaches could stem from employee actions which, on the face of it, seem innocuous, for example forwarding an email chain which contains personal data / sensitive data (e.g. ‘she is not coming to work today because her daughter has chicken pox’). In the UK, it also now appears that organisations can be vicariously liable for data breaches caused by rogue employees. Risks can be reduced by taking the following minimum steps:
- Implement clear and well-rehearsed security / data breach procedures – in conjunction with IT teams – to ensure data breaches can be mitigated quickly, and reported within 72 hours.
- Ensure appropriate technical and organisational security measures cover all HR systems and functions, including 'need-to-know' access limitations, encryption and regular training / guidance.
- Subject security measures to periodic testing and evaluation – much like a fire drill – to ensure an organisation's ability to respond in varied scenarios.
- Put staff on notice that any breach (whether electronic or physical) must be reported immediately, ensuring that disciplinary policies are updated to make clear that responsibility for, or failing to report, any security incident may be considered a disciplinary offence.
- Review restrictive covenants, as well as confidentiality and IP provisions within employment contracts and consultancy agreements.
Passive compliance with the GDPR is not possible. Instead, all business functions – including HR – will now need to 'demonstrate compliance' with their data protection obligations. Organisations should work towards this requirement by: (i) introducing detailed data protection policies and training; (ii) subjecting internal controls to regular audit and review; and (iii) maintaining a comprehensive, up-to-date 'record' of all processing activities. With this in mind, businesses should:
- Produce and maintain a comprehensive 'record of processing activity' in line with GDPR requirements, which can be provided to data protection authorities on request.
- Implement and / or update employee-facing policies and training (including IT and disciplinary procedures) addressing all key areas discussed above.
- Subject internal procedures and controls to regular review and testing, ensuring that results and remedial measures are properly documented.
- Consider undertaking DPIAs where processing appears 'risky', such as employee monitoring and background checks.
NB: This document is intended as an illustrative overview only, will not be appropriate for all organisations and is not intended to be a substitute for specific legal advice.
Please also note that under the GDPR, individual EU member states are entitled to introduce more detailed and restrictive local laws in respect of the processing of personal data within the employment context. Compliance programmes will need to take any local variations into account, as applicable to their countries of operation.