The General Data Protection Regulation (GDPR) is now less than 6 months away and the need for businesses to start working together to ensure that all aspects of data storage and processing is ready for the extensive and complex changes has never been greater.
Failure to comply with the GDPR could result in significant financial penalties, such as 4% of annual group global turnover or €20 million; whichever is greater. As well as the financial consequences for a data protection breach, there could also be significant reputational damage, look at Yahoo and TalkTalk.
Businesses should now be undertaking an audit and mapping exercise, and drawing up a project plan which will require all people across the business to address each aspect of data processing from the marketing teams to the IT, sales and finance departments. One of the most important groups that will need to start reviewing their data processing is HR departments following the large amounts of personal data that they hold. This includes information about their employees, job applicants as well as people who previously worked for the business.
The other key considerations for HR professionals are:
1. Consent – you can no longer rely on the type of passive consent or implied consent that has been common in the past. You will also need to document consent and make it as easy to withdraw as it was to give in the first place.
2. Other legal basis – consider if there is something other than consent that you can rely on such as the performance of a contract or legitimate interests.
3. Update Policies and Procedures – HR professionals will need to review their Data Protection Policy as well as wider policies that connect to the various aspects of data compliance including the Whistleblowing Policy, Code of Conduct, Electronic Communications Policy, IT Policy, and Home Working Policy.
4. Training Programme – employees will need to understand the GDPR and how it applies to them in practice. Delivery of the implementation will need to be supported by a comprehensive training programme that is ongoing, regularly updated and attended by relevant staff.
5. Breach Response – HR professionals should contribute to their business’ breach response plan as most data leaks commonly come to HR departments in the first instance.
6. Subject Access Requests – with the rules on responding to subject access changing, HR people will need to familiarise themselves with the new regime in advance of receiving requests after the GDPR has come into force.
7. Impact Assessment and Project Plan – everyone needs to be represented on the working groups tasked with identifying risk factors, impact and finalising the project plan.
It is important for HR specialists to recognise that employers must maintain an awareness of developments and to update their policies and procedures accordingly to fit with the GDPR’s new requirements.