UK: Data protection - Why HR needs to know about new EU rules

The government has confirmed that the General Data Protection Regulation (GDPR), which will harmonise data protection procedures across the European Union from 25 May 2018, will have direct effect in the UK, even if the Prime Minister starts the Brexit process next year.

The changes will affect a number of organisational functions and will require ‘buy-in’ from a range of internal stakeholders, including HR professionals. HR teams should undertake an audit of their procedures and policies in order to understand where those changes need to be made.

Any current plans to alter IT systems should be ‘future proofed’ for the new rules, and organisations should be taking steps now to understand the GDPR, particularly since sanctions for non-compliance include fines of up to €20 million or four per cent of a company’s annual worldwide turnover, whichever is greater.

Under the new rules:

• data controllers (the person or organisation deciding how and why data is processed) will have to provide more information to data subjects on how their data will be processed
• data processing consent will need to be specific, informed, unambiguous, and be shown to be freely given
• data subjects will have greater rights to transparency over the processing of their data, and to rectify, delete, restrict, or object to their data being processed
• data controllers will have greater accountability, and data processors (the person or company processing the data) will be responsible for certain regulatory liabilities for the first time
• organisations will have to appoint a ‘data protection officer’ (a new role) if they are processing sensitive personal data on a large scale, or monitoring data subjects
• data controllers will need to comply with more detailed requirements for the security of data
• data controllers will have to notify regulatory authorities (the Information Commissioner's Office, in the UK) of personal data breaches within 72 hours.

HR teams will need to understand how the regulation will affect policies and procedures for recruitment, during the course of employment and when contracts are terminated. Since employees will have enhanced rights over the use, misuse and retention of their data, employers will have to take more steps to ensure employees have expressly consented to the processing of their data. HR should consider using a separate form for this, rather than just including a clause in an employment contract.

Organisations should ensure data protection policies are reviewed, updated and clearly communicated to employees. Equal opportunities policies will also need to be updated to explain any changes to the way sensitive personal data is stored and retained. Organisations should ensure only data required to carry out essential pre-employment checks is collected during a recruitment process and is not stored longer than necessary. Individuals will have a new right not be subjected to decisions made solely by an automated process (for example, when being assessed for a job), so employers will need to take care with this.

Employees will have rights to greater transparency in relation to how their data is processed, and HR teams should amend any employment documentation to reflect this, and work with other stakeholders to ensure personal data is processed properly. ‘Fair processing notices’ must be transparent and accessible (the regulations are more prescriptive on these) and employees should be informed of their right to object to the processing of their personal data.

Fees for data subject access requests will be abolished and new timescales introduced for organisations to respond to them (within one month, rather than the current 40 days, and this can be extended to two months "where necessary"). Data controllers will have additional obligations when dealing with subject access requests, but will be able to refuse any "manifestly unfounded or excessive" requests. HR will also have to ensure there are suitable systems in place to notify the regulator (and, potentially, data subjects) if any data breaches occur.

Companies will need to ensure their IT systems allow them to delete data comprehensively as data subjects will have a new right to be forgotten.

Data subjects will have to be informed of their rights and how their personal data will be processed, including whether it is to be sent outside the EEA and what data processing conditions have been relied on to process it if it is. The position will remain much the same as now: transfer of data inside the EEA will remain unrestricted, but there will be a general prohibition on transfers outside of the EEA (subject to data transfer agreements, European Commission decisions on adequacy of protection, and binding corporate rules).

Written by Christine Young and Tara Grossman. This article first appeared on the People Management website.