There's no denying it - GDPR IS coming (with only 2 months to go until it is applicable). The General Data Protection Regulation WILL impact on your organisation, it WILL require you to update your employment documents and it WILL require you to have a Privacy Notice. But it’s not too late to start working towards compliance if you haven't already! We ask Emma O’Connor, Head of Training and speaker/writer on GDPR about what HR needs to be doing right now…
So, Emma, GDPR - what are the key messages and what can organisations do with 2 months to go?
The key messages are that GDPR is applicable from 25 May 2018, it will impact upon your organisation and the way it holds and processes data about its staff and also about others, for example your clients and employees. It will impact on the way you can transmit personal data to third parties, for example payroll providers or i-cloud storage services, even to group companies outside of the EU. It will also require you to update your contracts of employment and data policies and have a mandatory Privacy Notice. However, the main thing to remember is that it’s not too late to get a compliance strategy together if you get started now!
Is there a small business exemption?
No - there is no small business exemption. Even if your organisation doesn’t have a website, it will hold some personal data somewhere about someone.
Can we go back to basics?
GDPR is designed to give people more control over their personal data. It will require organisations to be more transparent and open about how the personal data of EU citizens is collected and used and make them justify this use. It will also introduce eye watering fines for failing to protect people's personal data.
Let’s look at the HR data angle, what especially should HR be doing?
The first job is discovery. If you don’t know what data you hold, you cannot then go on to answer other questions like, for example, why data is held or who has access to it. So auditing HR data, evaluating or data mapping is key to ensuring GDPR compliance.
What about employment contracts and policies - will these need to be changed?
Undoubtedly, yes! I can bet that your contract will have a data protection consent clause contained within it. Go on, have a quick look - I’m right aren’t I? You might be thinking "is this ok?" - the answer is NO. Consent cannot be blanket and it cannot be conditional on signing a contract. Instead, it has to be freely given and unambiguous. Basically, it is not appropriate for an employment contract and is possibly only appropriate in very limited circumstances as a separate and specific consent request. So the answer is, yes, contracts of employment will have to be changed before 25 May and also employees will need to be told that the clause has changed. You may also need to update your Data Protection Policy and Retention Policy.
What is a Privacy Notice and do organisations need one?
Absolutely. Let me be clear, a Privacy Notice is mandatory. I cannot stress enough just how important the Privacy Notice is for organisations. A Privacy Notice is your data mission statement; it has to be sent or referenced on your website to candidates for employment, employees and workers at the point when data is collected.
Data processing is about transparency and ensuring there is openness between you and your data subjects. The Privacy Notice assists in this, explaining what data you hold, what you do with it, who it is sent to, data security measures and data subject rights. It’s the “what, where, why, how and when?” about how a data controller (that’s your organisation) processes an employee’s personal data. It also sets out the lawful basis for processing personal and sensitive personal data (now called special categories of data) – that’s your justification for processing and these are set out in the Regulations. It explains who is responsible for data within the organisation and what to do in the event of a complaint. It is a data information “one stop shop”. It is a really important document; it will take time to get right and to ensure the right assessment has been made about the data you hold and process.
I would add a word of caution too - Privacy Notices are necessary for different categories of personal data. So the organisation will need a Privacy Notice relating to client data, employee data, and candidate data and so on. If your legal teams are taking responsibility for GDPR remember that HR is different and needs its own set of rules. One size does not fit all.
What about those HR teams that hold loads of old employee data - what’s the harm?
We all like to keep data to be on the “safe side”, but the trouble with holding lots of really old information is that it can be out of date, irrelevant and incorrect. There are risks with holding and using incorrect information about a Data Subject. As I’ve said this is where the discovery bit comes in. Once you discover what data you actually hold and for what purposes you can then assess what documents you need to keep. This does not (and should not) mean you delete all employee or worker data from 25 May. Some documents you will need to keep for a long time both legally and practically, but others have a “shelf-life”. You also have to set out clearly how long you will keep data for in your Privacy Notice and this will vary depending on the type of data in question. If there is any doubt then please take advice.
As a side issue, HR will also have to think about its exit procedures, particularly, around managers who store personal data on personal devices and laptops. Data isn’t just held in HR’s filing cabinet - think about IT security and paper information.
Isn’t GDPR just another layer of bureaucracy for organisations?
We need to view GDPR as an opportunity to develop new tools, clean up systems and ensure data is up to date and relevant. We are seeking to change the data “mind-set” and culture around data. Think about new uses of data in your organisation, new technological advancements or data transmission and revisit your policies.
Have your data justifications changed? Are you doing something different with a person’s personal data? What do staff do with CV’s or medical records? If you receive data from a third party source, what safeguards are in place? Do you fall within the rules for keeping records of your data processing activities, or should you as a matter of course? Do you need a Data Protection Officer? Do you do anything “high risk” with data – for example, transferring data outside of the EU, if so, what steps are in place to protect data? Are you involved in large scale monitoring activities? Do you have the processes in place to deal with data subject access requests? Also, what is going to happen if there is a data breach - will this fall within the business’ continuity plan?
The obligations for data protection compliance do not stop on 25 May 2018, but are ongoing. Marketing, HR, IT and senior leaders are going to have to work together.
What is Boyes Turner’s GDPR Employment Data Protection Toolkit for employees and workers?
Firstly, please don’t panic; we can help. We have produced a GDPR Employment Data Protection Toolkit, a suite of GDPR compliant template documentation relevant for employees and workers, ready to purchase, to assist HR in getting their employee and worker policies and Privacy Notices in order. The Toolkit consists of a Contract of Employment Clause, Data Protection Policy, a Privacy Notice and a guide to GDPR. Our GDPR Toolkit has useful drafting and practice points to help HR in the task. We have also put together a Candidate for Employment Privacy Notice and also a Corporate Data Protection Statement.
These documents save time and really do help HR with the task of working towards GDPR compliance. Email me and we can discuss what you need – you don’t have to purchase all of it; for example, you might just need the contract clause and the Privacy Notice.
What else should HR be doing and how can Boyes Turner help?
Training and awareness is another big compliance issue for HR and organisations. GDPR is about changing the culture of how personal data is viewed by the whole organisation and educating staff that there is a value in data. Some have said that “data” is the “new oil”. Again, we are training HR teams, as well as the wider employee population, marketing teams and IT, on their roles and responsibilities for data protection. We are also reviewing third party supplier agreements to ensure that they protect your employee’s data.
Thank you Emma! So whether it’s GDPR training/awareness, our ready to go GDPR Toolkit or strategic assistance that you need, we can help. It’s not too late to get in touch and get GDPR compliant! Contact our GDPR training expert Emma O'Connor at [email protected] to get started.
Consistent with our policy when giving comment and advice on a non-specific basis, we cannot assume legal responsibility for the accuracy of any particular statement. In the case of specific problems we recommend that professional advice be sought.