GDPR Compliance and HR
By May 2018, UK businesses must be compliant with the incoming General Data Protection Regulations (GDPR).
As many of the changes being introduced involve personal data, naturally HR departments will be heavily involved in GDPR compliance.
This resource is intended to be a guide to the main changes introduced by the GDPR in relation to individuals (i.e members of your team!), particularly the changes that place requirements on companies over and above GDPR’s predecessor, the Data Protection Act 1998.
(Note: the guide is aimed at getting you started on compliance towards GDPR. It is not intended as a comprehensive overview of everything you’ll need to do to be ready).
Document how you handle data on behalf of your teams
Beyond GDPR, being a responsible employer means knowing what data you are storing on behalf of your team.
With the introduction of GDPR, these often informal obligations will be formalised and made more stringent.
A key emphasis is placed on documentation around how data is processed. This means knowing where the data came from, who has access to it and where it is stored. Someone in the company will be responsible for producing a document that outlines how data has been acquired, where it is kept as well as any processes around access and deletion.
GDPR requires companies to acquire explicit consent when processing “special categories of personal data.”
Which begs the question - what are these special categories of personal data?
Any personal data that is is “revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.”
This is further complicated by the fact that whether data is deemed to be in a ‘special category’ or not depends on the scenario it is being used for.
Using HR software with specific onboarding functionality is a big help here. By asking for information in a standardised way each time a new hire is made, the new hire is able to opt in and give consent when they fill in the onboarding flow.
Data portability means being able to move data to a new source.
This means that if a team member moves on to a new company, they have a right to obtain the data they’ve provided to you and reuse this information with their next company.
If you keep your team’s data in standardised format, you’ll be able to easily hand over everything without any additional administrative burden. If files are scattered and data stored in various different places, it may still be possible to provide this information to the team member in question, but it’s going to be much more difficult and time consuming.
Team members have the right to ask for and obtain access to their personal data.
This is so they can verify the “lawfulness of the processing” (basically they’re allowed to check to ensure you’re doing everything you should do!).
As a company you legally have 30 days to comply with the request.
The GDPR puts greater responsibility on the employer. Start getting your affairs in order, and there will be no additional processes and procedures that need to be put into place at short notice.
Some of the changes made around GDPR will not require specific action right away. However, these changes may provide team members with additional rights that they can choose to exercise; if and when they choose to exercise these rights, you will then be obliged to comply, taking up time and resources. Having standardised processes in place will make repetitive tasks simple, and ensure that you stay on top of GDPR compliance.