Among those most affected by the EU General Data Protection Regulation (GDPR) will be HR departments. The Regulation greatly expands employers’ obligations to their staff, and employers will now have to inform employees of their right to make a data access request and rectify or delete personal data. They will also have to let staff know how long their data will be stored and if any data is transferred to third countries.
The GDPR also applies to a wider set of HR functions. It covers not only employers processing employees’ personal data but also HR service providers that process data on behalf of the employer. Currently, service providers only have a contractual obligation to the employer, but are not accountable for complying with data protection laws.
AmCham Belgium breaks down the biggest challenges that HR departments face in preparing for the Regulation:
“Today, a lot of companies process personal data of employees on the basis of their consent. Over recent years, this approach has been increasingly criticised,” AmCham Belgium writes.
This criticism largely stems from the imbalance of power between the employee and employer. Many employees may feel as though they are obliged to give consent to their employer for fear that refusal will be detrimental to their job security. An employee may also think that refusing certain consent requests, such as monitoring computer use, may give the impression that they have something to hide.
In response, the Information Commissioner’s Office (ICO) has clarified the GDPR’s position on consent between employers and employees, nullifying any consent that is given when there is an imbalance of power between the two parties. It also emphasises that consent is only one legal ground for processing data, and advises data processers to only seek it if no other legal ground applies. AmCham Belgium writes: “This could be the contractual necessity (e.g. for the processing of employee payment data), a legal obligation (e.g. for the processing of employee data in relation to social security) or the legitimate interest of the employer (e.g. in the context of employee monitoring).”
2. Respect the increased rights of your employees
The GDPR gives employees more rights, including the right to be forgotten. In certain circumstances, employees will be entitled to instruct their employer to erase personal data about them. This may apply when the data is no longer necessary for the purpose for which it was originally collected, or where the employee has withdrawn their consent.
As with existing data protection laws, the GDPR states that employees are entitled to ask to access the data that employers hold on them. However, the Regulation reduces the time limit to comply with this request from 40 days to one month.
The GDPR introduces a number of new requirements that will “trigger a shift from paper-based compliance to actual and demonstrated compliance in the field. As a result, the obligations to notify processing activities to the data protection authorities will be abolished.”
Those obligations include the appointment of a data protection officer (in some circumstances), carrying out data protection impact assessments and consulting with data protection authorities before commencing new data processing activities.
Prepare for the GDPR
AmCham writes: “It is difficult to overstate the importance of the GDPR and it is clear that it will significantly affect all businesses.
“Employees will need to very carefully assess their current HR-related processing activities and identify the gaps with the GDPR […] Failure to do so may result in significant fines or other enforcement measures that could materially impede their business.”
With less than a year until the GDPR takes effect, it’s crucial that you know your obligations. If you’re looking for a clear, simple introduction to the Regulation and advice on how to comply, you should read EU GDPR – A Pocket Guide. Written by Alan Calder, IT Governance’s founder and executive chairman, this guide is the ideal resource for anyone wanting a primer on the Regulation and an overview of their responsibilities for achieving compliance.