UK Data Protection Law changed on 25 May 2018, with the new General Data Protection Regulation (GDPR) taking effect.
Many of the key principles of the Data Protection Act 1998 are replicated in the GDPR and the new Data Protection Act 2018, bringing some significant changes.
Here are some of the key things HR professionals need to know.
New definition of sensitive personal data
Sensitive personal data under the Data Protection Act 1998 is replaced under the GDPR with "special categories of data". For the first time this includes genetic and biometric data, as well as continuing to apply to data about health, ethnic origin, sexual orientation and sex life, religious and philosophical beliefs and political opinions, trade union membership, and in the UK, criminal offences. Employers will frequently find themselves processing special category data so understanding the implications of the special protections which apply is important.
Consent and processing conditions
The criteria for giving valid consent are stricter and individuals can withdraw consent at any time. Employers are unlikely to find that they are able to rely on consent for processing data. Instead, employers will need to identify and record other lawful bases for processing personal data. This is not as complicated as it sounds, but record keeping is vital and under the new Data Protection Act processing conditions must be underpinned by appropriate policies.
Privacy by design and compliance
Your data protection approach must be tailored to your organisation and your workforce, and crucially you must be able to demonstrate compliance. The Information Commissioner emphasises that 25 May 2018 is not a deadline but a starting point. You must consider how you will create and manage your audit trail across HR moving forwards. Data protection will be an area of sharp focus for audit in the future.
The GDPR increases the amount of information that must be included in privacy notices for them to be legally compliant. They need to be drafted in plain and clear language to meet fairness and transparency requirements under the GDPR. Privacy notices will not just be required for employees, but also consultants, workers, non-executives and board members and also applicants and volunteers.
Privacy Impact Assessments
Organisations must carry out a privacy impact assessment (DPIA) if they wish to carry out a type of processing that is likely to result in a high risk to the rights and freedoms of individuals. The GDPR particularly highlights using new technologies, but the ICO also recommends DPIAs for large projects and new systems. A new payroll system or HR benefits platform are examples where a DPIA would be required.
Subject Access Requests
You can no longer charge a fee, and instead of 40 days to comply with a request, the time limit for compliance reduces to one month.
Individuals will have greater rights, including rights to request to be forgotten or to restrict processing, and the right to data portability.
Higher sanctions for non-compliance
Up to 4% of annual global turnover or €20 million, whichever is higher.
Mandatory reporting of data breaches
All data breaches must be recorded, and most breaches reported to the Information Commissioner's Office within 72 hours. Breaches creating a high risk to the rights and freedoms of individuals must be reported to the individuals affected. Most breaches result from human error and can often be traced back to employees and contractors. HR teams will have a key role in managing and preventing data breaches and the business risks which flow from them.
What key actions should HR teams be taking now?
- Make data protection a priority; this may entail a cultural shift, and those in HR and management positions should set an example. Train those who need to be trained.
- Do a data protection audit – what types of personal data are you processing and why? You must identify and record the lawful basis for all processing activities.
- Review existing policies, procedures and processes to check you are GDPR compliant. In particular, ensure that you have a comprehensive data protection policy and update your contracts of employment if necessary, especially if you currently suggest that you rely on consent. Retention and deletion procedures must form a part of your data protection policy.
- Update your privacy notices.
- Review record keeping processes and produce a document retention schedule. Organisations with 250 employers or more have stricter obligations regarding record keeping. As part of this process you will need to consider how the GDPR may impact on other policies: disciplinary warning records for example, or whistleblowing and grievances records. You will need to ensure that the data protection principles can be seen to apply throughout your policies and HR management.
- Consider who you share data with. You will need to review your contracts with third party service providers and suppliers (e.g. recruitment agencies and benefit providers) for compliance with the GDPR. You must ensure you have the right contracts and agreements in place if you are sharing data.
- There are different requirements for data processing agreements (for example with your payroll provider) and data sharing agreements – for example if you share people data in with potential bidders in an outsourcing procurement.
How we can help?
Although you must ensure you adopt privacy by design principles, we know that having sound legal documents to work from makes life much easier; or perhaps you just want a second pair of eyes to check what you have done.
We can provide you with the following template documents:
- A compliance checklist
- Privacy notices for employees, workers and contractors, applicants and volunteers
- Contract clauses and draft letters to employees
- A Data Protection Policy
- Standard clauses for contracts with your suppliers (including consultants)
- A data sharing agreement for use with other data controllers
We can also help with the following:
- An audit of HR policies to identify possible data compliance issues – for example monitoring, discipline, whistleblowing, recruitment
- A gap analysis on your compliance plan and progress to date
- Training for boards or specific teams in high risk areas
- Guiding you through undertaking a legitimate interest assessment (required if you are relying on the legitimate interest processing condition)
- Help undertaking a data privacy impact assessment (DPIA)