Many employers will be busy preparing for the changes in General Data Protection Regulation (‘GDPR’), which come into effect in May 2018. But what does GDPR mean for HR?
Every area of a business is affected by the new regulations, and some of the most significant changes will be for Human Resources. Amid the complexity, we’ve extracted three key changes that should be top of your ‘GDPR to do list’ as an employer and a HR professional.
Changes to Consent
When it comes to employees consenting to the use of personal data, the landscape is changing. The bar has been raised for valid consent. The changes that will have the biggest impact for employers are that consent must be freely given and it must be as easy to withdraw as it was to give.
The requirement for consent to be freely given means that if the consent is historically conditional on another agreement, like the employment contract, it won’t be valid anymore. Even if consent is obtained in a separate agreement, it is unlikely that it will be freely given in light of most employees’ reluctance to refuse consent and risk disrupting the employment relationship.
Employers must also inform employees, upfront, that they have a right to withdraw their consent at any time, and how to do it. The reality is though, if an employee does exercise that right to withdraw, it leaves the employer in a very difficult position. As such, consent will not be a reliable basis for processing employee data unless it is for a specific purpose, such as seeking a medical report.
In addition to these changes, for consent to be effective, it must be based on clear affirmative action (forgetting to tick a box just won’t cut it). Employers must also be clear on exactly what employees are consenting to with generic statements such as ‘you consent to the Company processing your data for business purposes’ falling short of the required standard.
These changes mean that post the GDPR being introduced, consent will rarely be a valid basis for processing data within the employment relationship.
The good news however is that there are a number of other legal bases that employers can rely upon to justify the processing of employee data, and in most cases, they will already have one of those in mind. For example, the processing of personal data for payroll purposes will be justified as it is necessary for compliance with legal and contractual obligations and as such, there is no need for an employee to consent – although employees rarely object to the processing of data for pay purposes!
The key will be improving communication with employees and ensuring they are aware of the practical purpose and legal basis for processing their data.
Communicating how personal data will be used
Next up for employers to think about, is what information they need to share with employees about how their personal data will be used.
In short, tell them everything.
This information should take the form of a privacy notice. A good privacy notice will contain; the name of the data processor, a clear outline of what data will be held by the employer, how this data will be processed, the purpose of the processing, the legal basis for processing, who the data will be shared with, how long it will be retained for and details of any overseas storage. Quite a list! The idea being that employers should give employees a very clear understanding of what to expect in relation to their personal data.
Managing this in practice is not easy. Despite the comprehensive list of information to be provided in a privacy notice, it must also be concise, accessible and written in plain English. To strike this tricky balance, we would advise employers to provide employees with an initial privacy notice containing the generic information required, then to provide updates at key points within the employment lifecycle, such as in the event an employee is promoted or when entering into significant procedures such as a the disciplinary or sickness absence procedure.
It’s a culture change
In our view, the key to implementing the GDPR requirements successfully will be achieving a culture shift. It may sound like a big mountain to climb, but personal data needs to be at the centre of both day to day management and project management.
Gone are the days that personal data can be an afterthought, two weeks before a new system is launched. When embarking on a new project, personal data and the GDPR needs to be one of the first things organisations think about, it needs to be present right the way through a project and most importantly – it needs to be evidenced in all project documentation.
You can implement all the new rules and processes you like to achieve compliance with these requirements, but nothing will be more effective than working with managers to achieve a change in mind set.
Employers should be encouraging managers to think about data privacy in all of their daily activity and in everything they are responsible for within their role. HR teams have a pivotal role to play here, helping managers to see the value in personal data and the potential risks associated with it. This and only this, will lead to successfully achieving the changes required to be fully compliant under the GDPR.
These are just three important issues that should be at the forefront of HR professional’s minds right now. There is plenty more to think about but that’s a conversation for another day.
At Vista, we are busy helping our clients tackle the points above and achieve compliance with the GDPR – please get in touch if we can help you prepare.