Are the changes under the GDPR significant?
While many of the core obligations remain the same, there are some key changes that will fundamentally affect the way your organisation handles personal data, from how you talk to customers, to how you recruit employees.
The most visible change is the new fine for breaches, which rises from £500,000 to around £18 million or 4% of your worldwide annual turnover, whichever is greater. If you suffer a data breach, you may also need to pay compensation to individuals who have been affected.
If your organisation suffers a breach after the GDPR comes into force on 25th May 2018; The Information Commissioner’s Office will assess any failings against how much work your organisation has done to meet its new obligations. It is likely that the more stringent your planning to comply with the GDPR and the ways you can prove you have tried to stave off risks of non-compliance, the less likely you are to face the full penalties. We will of course be monitoring how the law is enforced in May 2018 and beyond, but it is paramount that you are compliant by 25 May 2018 to reduce risk.
Perhaps the most significant change under the GDPR is the need to obtain free and unambiguous consent to hold customer and employee personal data. Implied consent will no longer apply, so pre-ticked opt-in boxes will not be sufficient. This means organisations may need to reconfirm consent for existing employees for processing information and make sure they have a robust consent process going forward.
The new law also gives employees the ‘right to be forgotten’, which means they can ask you to erase all data you hold about them. From 25 May 2018, you also have less time in which to fulfill Subject Access Requests, so if an employee asks to see a copy of the information you hold about them, you only have one month to comply under normal circumstances and you can no longer charge the £10 administration fee.
There are other changes that you will need to assess the impacts of under the GDPR, including new categories of personal data (such as genetic and biometric data), and the requirement to report data breaches within 72 hours. For a full list, read our 12 key changes here.
Using the life cycle
Our employment life cycle wheel outlines some of the key compliance requirements for handling employee personal data. Many of the points should already be part of your compliance with the existing Data Protection Act, but some are new obligations that the May 2018 law introduces.
The wheel loosely follows the journey of an employee from attraction and recruitment through to separation, but also focuses on key aspects of the employment process such as your policies and procedures, and training activities and highlights the differences from when and how you hold data about prospective employees, applicants, established employees and leavers
Pay close attention to the way you gather information and describe vacancies
When you post job advertisements online, add a link to your privacy notice so candidates can see how their information will be used and stored. Make sure any recruitment agencies you commission are observing their data protection obligations, such as seeking consent before forwarding CVs to you.
Be sensitive to the way that job advertisements can sometimes disclose personal data inadvertently. For example, advertising for maternity cover discloses medical information that the existing employee is pregnant. Get their consent before posting it publicly, particularly if the existing job holder is easily identifiable on LinkedIn or your company website.
Create a consent-orientated process for handling candidate information
Think about consent throughout the recruitment stage. Although your privacy notice and recruitment agencies have explained consent in terms of receiving the candidate’s CV, seek further consent before you contact their referees to ensure no embarrassment is caused to either party.
Once a candidate has accepted a position, further consent is needed to store and process their information for the purposes of employment. Create a separate document to the employment contract that briefly itemises each aspect of consent you require in order to process their data alongside a tick-box.
E.g. I, hereby give my express consent for [EMPLOYER NAME] to process their data for the purposes of maintaining internal records.
Don’t forget, data subjects must be able to withdraw consent, it must be freely given and the burden of proof is on employers to show consent is validly obtained, so make sure you think about documentary evidence of proof.
Policies and procedures
Update policies and procedures in line with changes to law
Review your key documentation in the context of the new data protection law, and ensure it is clear, concise and practical. This is also an opportunity to assess the overall data protection culture of your organisation to discover any compliance gaps.
Updates to policies and procedures must be communicated to employees and added to your induction course. The changes may also necessitate some bespoke training for certain roles. Review policies regularly going forward to take account of further legal changes, and make sure staff are aware of changes, what’s included and where to find them
Training and development
Make data protection part of your continual improvement programme
Despite advances in technology, preventing data breaches is still a very human activity, so make data protection an integral part of your continual improvement. Raise awareness of data handling and security issues, particularly how to recognise and report incidents.
Make sure your organisation has an ‘open door’ culture when it comes to data – it should be treated in the same way that health and safety is – it affects everyone and everyone must comply.
Under the GDPR, organisations with 250 or more employees must appoint a Data Protection Officer (DPO). Even if your organisation isn’t large enough to legally require a DPO,, appointing someone who is a ‘data champion’ will help to provide clear leadership and responsibility for driving data compliance across departments and teams. Make sure the DPO or person responsible for compliance receives adequate training & are fully aware of their obligations.
Bear in mind that the legislation is in its infancy. Keep abreast of any developments and changes over time and make sure you apply any relevant updates to your policies, procedures and staff training materials.
Encourage feedback from your employees and placate their concerns by assuring them that you have an ‘open-door’ culture and a strict confidentiality policy.
Keep personal data manageable and up to date
Data minimisation and ensuring data is accurate is key for HR teams under the GDPR. Regularly delete information you no longer require for example referee details for an employee that has been with you for 10 years. If you have no lawful or regulatory reason to keep data, minimise it.
This not only helps you to meet your data obligations, but also saves considerable time and resources if an employee makes a Subject Access Request (SAR) to see all information you hold about them.
Bear in mind that many data breaches are caused by out-of-date contact details. Check the accuracy of your employee data regularly, particularly telephone numbers, postal and email addresses.
Take a practical approach to information retention after an employee leaves
When an employee leaves your organisation, use the exit interview to remind them of their data protection responsibilities, which extend beyond their employment period. This is particularly relevant if formal restrictive covenants have been included in their contract.
Carefully choose which information about the employee to retain, with a phased approach to deletion if necessary. Minimising data will help you to respond to SARs, and execute an ex-employee’s ‘right to be forgotten’ if they exercise it.
Separation due to a data breach
Data breaches should launch an immediate response and improvement process
Your information processes should focus on minimising the risk of a personal data breach, such as password protection of devices, and encrypting sensitive information before sharing it. If you suffer a data breach, measures like this will count in your favour when the ICO considers penalties.
Ensure your data breach response plan is easy to deploy, such as pre-written letter templates to send to employees whose information has been exposed. A data breach should also prompt a review of relevant processes, with continual improvement as required.