Got Data? Panic and Run - What does the GDPR mean for HR?

The History of Data Protection Legislation

The history of data protection legislation is inextricably linked with the ever-expanding world of technological innovation and - reflecting the fact that companies can now process increasing amounts of data in more creative ways – the latest legislation coming into force in May next year, the General Data Protection Regulation (GDPR), is set to be the toughest data privacy law in European business history.

Personal data is absolutely everywhere and it’s easy to forget just how far we have come in technological developments over the past few years, which has led to this proliferation of data. For example, in 1956, a 5MB hard drive had to be forklifted onto a plane for transportation, now 5GB USB sticks are readily available and fit conveniently into your pocket, and you can even store data in the cloud.

Use of Data in Human Resources

From a HR point of view, we should approach the GDPR from a life cycle perspective. This means following the data through the business from recruitment through to mover/leaver policy and everything in between. What exactly is our hiring process, what recruitment companies do we use, how do we handle sick notes, appraisals and pensions – these all need considering.

There is a variety of both manual and electronic data in every HR department and consideration should be given to how it is processed. Experienced Data Protection Officers are thin on the ground, with the latest estimates indicating that there could be a deficit of up to 70,000 DPOs across Europe; this represents as much of an opportunity as it does a challenge.

Data is the new oil

Data is a hugely valuable asset for any data-driven business, enabling the day-to-day functioning of a company, but also for use in improving customer or employee experience and driving business growth. However, if not managed correctly, this data could also become a huge liability when the General Data Protection Regulation (GDPR) comes into force in May. It should be remembered that, unlike previous deployments of data protection legislation, there will be no ‘grace period’; from 25th May 2018, if your business is not compliant your company is at risk from reputational damage and potentially huge fines of up to €20m or 4% of annual turnover.

Accountability

If you are a data controller (the natural or legal person, agency or any other body which determines the purposes and means of the processing of personal data), you are ultimately accountable for the way that your company manages and processes data. Whilst accountability has been a requirement of data protection law for some time, the GDPR elevates its significance and, for the first time, data processors (parties who process personal data on behalf of a data controller) will also find themselves accountable. Both data controllers and data processors must be able to actively demonstrate compliance with the GDPR in terms of the organisational, procedural and systems solutions which are in place to protect personal data.

With so many additional policies and procedures required, and the risks being so high, if you’re responsible for managing and processing personal data, tackling GDPR compliance might seem like a daunting task. Whilst there is no need to panic, now is certainly not the time to bury your head in the sand and assume it doesn’t impact you.

Where should you begin?

• Where appropriate, your organisation needs to appoint a data protection officer or a dedicated go-to resource to manage your company’s obligations under the GDPR
• You must implement technical systems, procedural and organisational measures that ensure and demonstrate that you comply. This may include reviews of internal HR policies and internal data protection policies, as well as audits of data processing activities
• Maintain relevant documentation on processing activities and utilise best-practice tools, such as privacy impact assessments and mandatory logs
• Put into effect robust measures which support the principles of ‘Privacy by Design’ and ‘Privacy by Default’. These could include:
  • Transparency with the data subject (current employees or potential candidates) over how their personal data will be used, for what, why and who has access to it
  • Only use data for its intended purpose, so unless unsuccessful candidates for a particular role have given explicit consent for their details to be retained for consideration for future opportunities, their details must be deleted
  • Limit storage of data, for example the data of candidates who are not employed should be deleted shortly after completion of the recruitment process, as should data relating to previous employees
  • Avoid excessive data processing – data should only be requested from candidates if it is absolutely necessary for the recruitment process
  • Ensure the accuracy and currency of data – there is an obligation to keep personal information up to date, for example job titles
• Ensure the security of any data stored through the continual improvement of technological systems and organisational structures

Seize the opportunities

These measures might seem like a lot of work, but they will minimise the risk of data breaches, help to protect the personal data of staff, ensure your organisation’s compliance and allow you to demonstrate this should the regulator come knocking. And, whilst it’s true that the GDPR presents organisations with challenges, it can also bring great opportunities for companies which use it to build and strengthen trusting relationships with current and future employees and customers.