GDPR for HR—Top 10 Tips One Year Later

​Employers have had a year to comply with the European Union General Data Protection Regulation (GDPR) since it took effect May 25, 2018. Here are 10 practical tips for employers to consider, from a documentation and process viewpoint, a year after the GDPR's implementation.

1. Embed Data Protection in Your Workplace Culture

Data protection compliance is an organizationwide responsibility—educating employees and raising awareness at all levels is essential.

Implement policies and procedures to set out your organization's approach to data privacy and apply and enforce these robustly by highlighting consequences of noncompliance. Build a program of staff training into your education program, to ensure your workforce understands their obligations when handling the company's data.

2. Revisit Your Employment Contracts

Do not rely on the employees' consent to process their personal data. Instead, determine whether you are relying on one or more of the following lawful grounds: legitimate interests, performance of contract or legal obligation. Ensure your contracts of employment are updated accordingly.

If you are concerned about whether you can rely on "legitimate interest" as your lawful basis for any particular processing activity, complete and retain the Legitimate Interest Assessment Tool to identify and reduce privacy risks.

3. Issue a Staff Privacy Notice

A key principle under the GDPR is the right to be informed about how personal data is processed. Think about how your organizations is complying with this requirement. Our recommendation is that all staff are issued with a privacy notice—this can be sent in a short form to job applicants.

When creating your organization's privacy notice, refer to the Information Commissioner's Office website for full guidance on the information you should be including.

4. Implement a Data Protection Policy/Privacy Standard

Effective policies or privacy standards are crucial tools to make employees aware of their data protection responsibilities when handling personal data.

Have your data protection policies—and those relating to IT use or monitoring activities—been updated? Effective policies are key to ensure your staff understand their responsibilities in connection with data protection.

5. Review All Recruitment and Benefit Forms

Applying the principle of data minimization under the GDPR, ensure you are asking only for necessary information in your recruitment and benefit forms.

Consider the data you are transferring to third parties—such as to external payroll, health care or pension providers—and ensure the additional data-controller-to-processor contractual arrangements under the GDPR are in place.

6. Have a Uniform Approach to Data Subject Access Requests

Use a short-form policy to ensure that employees are aware of what Data Subject Access Requests (DSARs) are and how the company will deal with them.

Document your internal procedures for dealing with DSARs to ensure a uniform and timely response. Consider drafting template response documents to support the DSAR policy.

7. Know What to Do in the Event of a Personal Data Breach

Make sure your employees can recognize a personal data breach and know how to report it internally.

For the individual(s) handling the breach, implement guidelines to help them identify risks from the breach; assess whether notification obligations have arisen and implement preventative measures for the future.

8. Set Out Your Procedure on Retention and Destruction of HR Documents

Do not retain data for longer than is necessary and ensure the data being retained is kept for legitimate purposes.

Document your retention periods—along with reasons why you have determined the relevant retention periods—in a companywide policy and/or a stand-alone HR document policy.

9. Review All Consultancy Agreements

Conduct a review of the handling of personal data between your organization and consultants. Issue a privacy notice to the consultant when necessary.

If the consultant will be processing the company's personal data in carrying out the consultancy services, the consultancy agreement must contain mandatory processor obligations.

10. Remember Data Protection Fee

Don't forget to pay your data protection fee—the Information Commissioner's Office is levying fines against organizations who fail to pay.

Razia Begum is an attorney with Taylor Vinters LLP in London. Rachel Ashwood is an attorney with Taylor Vinters LLP in Cambridge, England. © 2019 Taylor Vinters LLP. All rights reserved. Reposted with permission of Lexology.