GDPR is nearly here. Are your employees ready?
14 May 2018
On 25 May 2018, the new EU General Data Protection Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the GDPR) will enter into force.
Given the scale of the task, many businesses have been working towards compliance for some time. During an initial stage you will have carried out a gap analysis against the GDPR readiness criteria, and then focused on remediating any gaps.
Modified data protection principles
- Fair, lawful and transparent processing: an organisation must be more transparent with employees about their processing activities.
- Purpose limitation: personal data collected for one purpose should not be used for a new, incompatible, purpose.
- Data minimisation: an organisation should only process the personal data that it actually needs to process in order to achieve its processing purposes.
- Accuracy: every reasonable step must be taken to ensure that personal data that are inaccurate are either erased or rectified without delay.
- Storage limitation: personal data cannot be kept for longer than is necessary.
- Accountability: controllers are responsible for, and must be able to demonstrate compliance with, the data protection principles.
Consent – no longer an option for HR data?
The requirements for obtaining consent are much stricter under the new GDPR regime:
- Consent must be freely given, specific, informed and unambiguous. Article 29 Working Party takes the view that employees can almost never give consent freely, due to the imbalance of power between employers and employees.
- Consent must be clearly distinguished from other matters, in an intelligible and accessible form, using clear and plain language.
- Consent may be withdrawn at any time and it must be as easy to withdraw consent as it was to give it in the first place.
Enhanced rights for employees
The rights that data subjects currently enjoy have been significantly enhanced and extended under the GDPR, such as:
- With regard to the right to information: under the GDPR employees must be provided with much more detailed information about the personal data that their employers hold. Privacy notices must be transparent, intelligible and easily accessible.
- The GDPR also introduces a new right to have information erased (the so-called “right to be forgotten”) and a new right on data portability that will allow employees to request that certain personal data is transferred directly to a third party.
Employee engagement is key
- Employees should be informed on how you will process their personal data (why, how, how long). Update privacy template clauses for new employment agreements, and provide specific privacy clauses for the different HR processes. Draw up a meaningful privacy notice for your employees and other workers.
- Employees should be able to access their data, to correct it, to request erasure or object to processing. Prepare a Data Subject Rights Request Form to assist your employees in exercising these rights
- Introduce or update your General Data Protection policy.
- Avoid accidental data breaches by giving training at regular intervals.
- Make sure employees have tools at their disposal to help establish GDPR compliant behaviour within your company. Handy flowcharts can help identify what they need to do, eg a response process flowchart or an individual rights flowchart. Other useful tools include policies on Complaint handling and on Data Security Breaches.