With the GDPR’s effective start date, May 25 2018, on the horizon, Human Resource Management departments should be planning on how to undertake the necessary changes that will ensure their operations remain legal when the regulation becomes applicable across Europe. It is evident that most HR departments will find it challenging to balance employees’ privacy and the tasks that they must execute in their capacities as HR personnel in the company.
It is crucial that human resource professionals and employers start organizing themselves because the law will affect a substantial part of their work including seeking information from the candidates, and recording, storing and sharing it. These processes are all regulated by the new law. The most critical aspect of these processes is the limitation on the use of consent particularly in the perspective of employment relationship. From the context of employment law, there is no doubt that the onus will be on the HR personnel to demonstrate that the employee consented to the processing of their data. Alternatively, they would have to show that there is a genuine interest or a legal obligation to process personal data.
Use of Privacy Notices
HR departments will have to confirm that their standards of data processing comply with the requirements. They must ensure that employees have sufficient information regarding the processing of their data even if they consented to it. The law will necessitate a migration from over-dependence on employment contracts to the adoption of privacy notices. Necessary adjustments that HR departments will have to undertake include changing the template contracts for new employees to eliminate consent clauses that conflict GDPR’s legal requirements. These new contract templates could potentially make significant reference to the organization’s data privacy. The migration from employment contract to privacy notices will not be easy and requires early preparations since it involves other processes of policy formulations as well.
Some of the current processes are rigid. For instance, it is almost impossible to satisfy the condition that consent must be given freely, be specific, unambiguous and informed because currently a worker has to enter into employment contract if they want the job. The employers then base their decisions on the implied consent contained in the employment contract to process their personal data. According to GDPR, this practice will be unlawful. Apart from demanding explicit consent, GDPR also obliges employers to provide information, in clear and simple language, to facilitate transparency and ease of access. HR departments, in this case, will have to check and consider the privacy notices and policies against employees’ or candidates’ rights.
GDPR Data Breaches
One of the fundamental requirements of the EU regulation is the controller’s responsibility to notify the Information Commissioner of any data breach and within 72 hours. This requirement comes with an extra burden on the employers. They will have to formulate explicit policies, create well-practiced procedures that enhance their reaction to data breaches and provide timely notification to the relevant authority. This may force the HR departments to embrace privacy by design which they can only achieve if they include data protection mechanisms from the commencement of system designing as opposed to treating it as an addition.
Data Retention and Privacy Statement
GDPR gives citizens many fundamental rights to safeguard their privacy and data security. Some of these rights include the right to be forgotten, right to be informed of any data rectification and the right to object processing. Human Resource departments will need to retain employees’ personal data for the intended purpose. The rights enjoyed under the GDPR means that organizations’ management of unsuccessful job applicants’ details will, therefore, depend on the candidates’ wishes. This might also apply to ex-employees. HR departments will only retain such information if they get clear consent from the data owners. Otherwise, they will be expected to remove them forthwith. HR departments might be forced to create a system that would facilitate sending privacy statements to the job applicants informing them about the reasons for processing their data as well as telling them how that process would be achieved. Such a system could be the equivalent of an online application system. The major difference would be the incorporation of privacy statement into the system.
Impacts of Free SAR within the Limited Timeline
HR departments in the United Kingdom are likely to be negatively impacted by the removal of the current £10 fee on subject access requests. Apart from incurring administrative costs each time an employee requests to access their information; HR personnel will also have to contend with the reduced timeline for complying with such orders. GDPR reduces the days to process a request from 40 to one month. This might be the sole reason for organizations to re-consider their processes and streamline them to enable quick and efficient response within the one-month deadline. This is increasingly important for the preparation of the expected influx of access requests when the law becomes effective.
More Specialized Staff
HR departments of public entities or employers involved in the systematic monitoring of sensitive data will need to hire a Data Protection Officer (DPO). The role of this office will include advising data controllers and monitors on GDPR compliance. Since the new law demands that organizations should demonstrate and document their compliance with the rules, creating an accountability structure from the start is central to successful implementation of the regulations. As such, HR departments will have to not only employ the DPO but also conduct staff training to enable them to comprehend their responsibilities under GDPR.
Human Resource departments have less than one year to re-evaluate their processes and put them in line with GDPR. There is no doubt that this law comes with severe penalties. The only way to prevent substantial financial losses through fines is by complying with the regulations. Organizations must stop focusing on the current UK fine of £500,000 for a serious DPA breach. Instead, they should start seeing the reality of €20 million or 4% of their annual global turnover for a serious GDPR breach.