There are now just over 100 days until your business needs to implement the General Data Protection Regulation ("GDPR"). It is becoming increasingly clear that lots of businesses are focussing on the impact of the GDPR on their processing of marketing and client data but have not yet considered the impact of the new regulations on their ability to process their employees' personal data.
In this alert we highlight six key points you need to take to make sure that you are not caught out and have taken enough action to ensure that your HR policies and procedures are compliant. After all, you do not want to be one of the first businesses forced to pay a fine for a primary infringement set at up to 20 million Euros or 4% of global turnover, whichever is the greater.
So what should you do?
- Set up or join your business’ GDPR compliance project team: It is essential that HR professionals are involved with this – your team is responsible for processing data relating to both current and former employees, as well as job applicants. You are also likely to have involvement with the wider implications of GDPR compliance including managing the people issues arising from breaches (if any) and may be expected to manage your records of data breach.
- Audit your HR data, HR processes and procedures: You will need to understand what employee data you are processing and the legal justification for doing so. It is therefore important to review the way that your business processes employee data. How secure are your systems? Where are documents stored? How long do you retain data? Do you undertake any processes, such as automated data protection processing, that may need a Data Protection Impact Assessment?
- Do you need a Data Protection Officer (DPO)? If so, your team will need to determine whether a DPO can be appointed from your workforce and, if not, start recruiting urgently. Even if you don't need to appoint a mandatory DPO your organisation is likely to appoint someone with responsibility for managing data and ensuring your systems comply. To do so is likely to result in a change to terms and conditions and agreeing a new job specification- another job for HR.
Once these steps are complete you will need, at a minimum, to undertake the following tasks:
- Review and update your employment contracts: If you are processing employee data and relying on their consent to do so, you need to update the contracts to make sure your employees have all the required information about how their data will be processed by you. Employees need to understand how their data will be processed, for what purpose and be reminded of their rights. All of these points should be included in a fair processing notice.
- Consider what policies and procedures need to change and update them: You need a new GDPR-compliant Data Protection Policy, and to conduct a review of the processes you use when dealing with personal data (including any automated data processing and use of data when recruiting staff).
- Train staff: Your managers will need to know about the changes to data protection law introduced by the GDPR, and what they need to do to comply with the new regulation. The changes include new rules relating to Data Subject Access Requests, the reporting of breaches, and data storage, retention and processing requirements. All staff will need to understand that how you process their data from May onwards is changing.
HR has a crucial role to play in ensuring that their organisation achieves compliance with the GDPR. There is a huge amount to do and it's important to start work now.
For more information about Fox Williams’ GDPR team, please see here or contact your usual Fox Williams adviser.