By now, most businesses will be aware that 25 May 2018 will see a seismic shift in the way organisations, large and small, can use personal data, including employee data. For many organisations, the new law – the General Data Protection Regulation (GDPR) – will require huge changes to the way internal processes are run, and there is now less than a year to get the house in order. If you aren’t already aware of the GDPR, do take a look at our videos: https://www.stephens-scown.co.uk/data-protection-breaches
With potential fines for breaching the new rules increasing massively – from the current maximum of £500,000 up to €20 million or 4% of worldwide turnover (whichever is higher) – the new regulation ought to be at the forefront in the minds of employers and HR.
Here is our summary of the issues for employers and HR to be aware of, in terms of job applicant and employee data :
Recruitment Process
- You will be required to provide much more information to candidates, probably by adding to your privacy notice and data protection policy. You’ll need to be clear on how long data will be stored, give information on the right to have data deleted (or rectified), the right to make a Subject Access Request; and whether any data will be transferred overseas.
- You will be subject to a higher level of consent for processing applicant and employee data. Many employers will currently use a clause in the employment contract and generic descriptions of the purposes for which data will be processed. HR should review the consent process – for example to obtain consent within a specific form that separately lists out all purposes for which data will be used. The GDPR is clear that when there are multiple data processing purposes, the person must give specific consent to each one.
- Recruitment businesses also have a number of challenges to consider. They will need to carefully review how they collect, retain (and erase) candidate data, and obtain specific consent(s) to use that data; and review processes and policies where candidate data is being obtained e.g. from job boards or social media platforms.
Training
- You should review whether you are now required to have a Data Protection Officer (if you don’t already). Act now, as it may take some time to identify / hire and train a suitable person. There will also be other staff training requirements from the other issues listed here.
Employee Relations
- Many businesses will be used to dealing with Data Subject Access Requests, usually when there is an employee dispute. GDPR lowers the response time in most cases to a month (from 40 days), removes the right to charge a £10 fee (unless the request is “manifestly unfounded or excessive”) and requires you to provide more information than currently. Review how you respond to DSARs and train those involved in handling them. Is your IT system up to the task of isolating the necessary data in time?
- People will have a right to withdraw consent (at any time) for you processing their personal data, again which has some potential to be used by employees with whom you are in dispute. Irrespective, HR should prepare a process to deal with this eventuality.
Automated decision-making
- GDPR brings in a right “not to be subjected to automated decision-making”, where that decision significantly affects them. As a first step, HR should review whether (and how) this is currently done, and consider possible alternatives. Examples might include automated recruitment sifting, or sickness absence process trigger points.
Breach Response
- One of the biggest changes is the obligation to ‘self-report’ any employee data breach to the authorities, usually within 72 hours; and, where required, to the data subject(s) themselves. With HR so involved with employee data, HR should be involved in the development of a breach response plan that includes training for those with new responsibilities.
Leavers
- GDPR introduces a ‘right to be forgotten’ (erasure). There remain many questions as to how this will operate, but HR should be prepared for leavers (or unsuccessful job applicants) to seek to enforce this right. In practice, it will put an onus on removing information on HR files that is no longer needed, and reviewing IT systems to ensure that permanent deletion is done properly.
New HR systems and processes
- GDPR seeks to enforce the idea of ‘privacy by design’, rather than as a ‘bolt-on’. Whenever HR introduces a new system or process, particularly if using a new IT solution, a data protection impact assessment will need to be used to embed privacy.
Now is the time to review all of your employee data processing activities, carry out a thorough audit of data held on your systems (electronic or otherwise), review policies and notices, and train staff. GDPR will change the way employers and HR teams collect, store, use and share employee and applicant data.
Our Employment and IP/IT teams advise organisations of all types and sizes on employee and data protection issues including job applicant and employee data. They provide practical support in partnership with organisations to improve your practice to ensure compliance with the new regulations and avoid the potentially very significant fines.