United Kingdom: What Does GDPR Mean for HR?

​Human resource teams in the United Kingdom have been working to get their processes ready to comply with the new data protection laws as of May 25, 2018, when the General Data Protection Regulation (GDPR) came into force. While some businesses are ready for the GDPR, many are not. For many companies, this date will represent the early stages of a long compliance journey.

What Should HR Be Doing Now?

It is important to take steps now, as failure to comply with the GDPR has potentially very serious consequences. The International Commissioner's Office (ICO—the U.K. regulator) may issue fines of up to 4 percent of annual worldwide revenue or 20 million euros, whichever is higher. Individuals can also claim compensation to recover both material and nonmaterial damage, such as distress.

The ICO has stressed that it will continue to take a proportionate and pragmatic approach when considering breaches of data protection rights and that enforcement would be a last resort. That said, if an employer persistently, deliberately or negligently flouts the law, the ICO will impose hefty fines.

Keeping Staff Informed

By May 25, staff should receive a privacy notice that sets out information about their personal data, including the purposes and legal basis for the data processing. Going forwards, HR should ensure processes are in place so that if any changes are made that mean that, for example, different categories of data are processed or the purpose of processing data changes, staff are informed about this in an updated privacy notice.

In the same way, updated privacy notices to reflect any changes should be given to job applicants.

Preparing and Updating HR Policies and Procedures

In addition to updating employment contracts, consultancy agreements and the data protection policies, some HR procedures will need updating—for example, those relating to recruitment and obtaining references and medical reports.

Individuals have a number of new rights, including the right to erasure (deletion of data in relation to them) and to restrict/object to processing. These rights will be triggered as a result of noncompliance with the GDPR data protection principles, which can include retaining data longer than necessary. HR will therefore need to have processes to record and act on such requests by job applicants and current and former staff.

Data Security and Training

Employers must notify the ICO of a data breach within 72 hours of becoming aware of it, unless it is unlikely to adversely impact on individuals' rights. If, however, the data breach is likely to have a significant impact on individuals' rights and freedoms, those individuals must also be notified promptly.

To reduce the risk of a data breach, it is important to educate staff about their data protection and security obligations. This also demonstrates that you have taken steps to ensure that staff process personal data lawfully.

Once you have an updated procedure for handling data subject access requests (DSARs—a tool increasingly used by employees to find information processed about them), and established procedures for dealing with the new rights, such as the right to erasure, you should arrange training for those individuals who will be dealing with DSARs. This will usually include HR, line managers and IT.

It is important to get the DSAR process right because, in addition to the financial penalties outlined above, the ICO may bring criminal proceedings against the company or its directors if steps have been taken to alter, erase, destroy or conceal data with the intention of preventing disclosure.

Data Cleansing

Personal data should be kept no longer than necessary for the purposes for which it was processed. Historically, data retention policies have often not been implemented as seriously as they will now need to be. The increased, and serious, sanctions for noncompliance should encourage employers to be stricter about managing data retention properly.

Another reason for employers to be mindful of poorly managed data retention is that this is likely to significantly increase the burden created by DSARs. The publicity surrounding the GDPR means that employers may see a spike in requests from employees, former employees and job applicants to see the information that is held about them.

Changes to DSARs under the GDPR generally allow employers less time to comply and, potentially, a wider pool of data to be captured by such requests. That said, effective data cleansing should ensure that:

• The costs and time incurred in responding to DSARs are no greater than necessary.
  

• DSARs do not flag wider noncompliance in relation to data that should have been deleted/destroyed.
  

Data cleansing systems must be in place to ensure that HR and all line managers who process staff personal data comply with the data retention policy. All staff personal data must be securely deleted/destroyed or depersonalized, if there is no lawful basis for processing it.

Demonstrating Compliance with Data Protection Principles

Employers must be able to demonstrate compliance, if challenged by the ICO. This means that, throughout the design stage of any policy, process, product or service, employers must take data protection risks into account by:

• Assessing and implementing appropriate and proportionate technical and organizational measures and procedures from the outset.
  

• Putting mechanisms in place to ensure that only personal data necessary for each specific purpose is processed.
  

• Completing a detailed data privacy impact assessment if carrying out high-risk processing, such as closed-circuit TV monitoring or the processing of special category sensitive data. High-risk processing may involve consulting with the ICO about whether risk mitigation is adequate.
  

In addition, there are new GDPR recordkeeping requirements. As part of demonstrating compliance, employers must maintain a record of their processing activities, which must contain certain information, such as the purposes of processing, data retention and security measures. This record must be made available to the ICO on request.

Chris Holme and Corinna Harris are attorneys with Clyde & Co. LLP in London.  © 2018 Clyde & Co. LLP. All rights reserved. Reposted with permission of Lexology.