In the second of our series on the General Data Protection Regulation (GDPR) and what it means for employers and HR teams, we focus on how to manage employee data in line with the GDPR and how this will affect employers.

The GDPR and employee rights

Under the GDPR, employee data is likely to pose the most risk for many employers' compliance with the GDPR. Under the GDPR, employees (as data subjects) will have greater control over their data, the way it is processed and how your business uses that data.

The GDPR provides employees with new and greater rights, including:

  • The right to be informed: This flows from the transparency requirement (data subjects should be told who is processing their data, why, and for what purpose, and should be given a choice as to whether they agree to the processing). Employers, therefore, need to be open with employees about the data they collect and the purposes of processing.
  • The right of access: This right is similar to the current right under the Data Protection Act 1998 (DPA), however, with some subtle changes which will impact upon how you deal with a SAR. This is worthy of a blog of its own and will be the last in our series.
  • The right to rectification of data: This applies when data is inaccurate or incomplete and is similar to the right provided under the DPA. Businesses will need to ensure they have processes and procedures in place to ensure that data is rectified timeously.
  • The right to be forgotten: This right, in certain circumstances, allows data subjects to request that their data be deleted where no longer necessary. Data subjects can request the erasure of data if the data is no longer necessary for the original processing purpose, where consent has since been withdrawn, where the data was processed unlawfully or the erasure is necessary to comply with the law. Where data is held or used in the Cloud or by third parties, this obligation will be more difficult for employers to comply with as they must notify all parties who use the data of the erasure and request that the also comply with the subject request.
  • The right to data portability: This allows employees to obtain and reuse their data for other purposes across services. This flows from the control of data the GDPR gives to data subjects, and gives data subjects the right to receive a copy of their personal data in a commonly used, machine readable format, and to have the personal data transferred from one controller to another. For example, when an employee leaves and joins another organisation, the data subject could request that their data be transferred from their old employer to their new employer. Businesses will therefore need to put into place systems to deal with data portability requests and ensure that any systems they have for storing data are compatible and allow data to be extracted and transferring easily.

What does this mean for employers?

With employees having increased rights and control over their own data, this places more obligations on employers and HR teams to ensure they are complying with the GDPR.

Additionally, under the GDPR, data processors and controllers will both be subject to data protection laws – this is a departure from the DPA as only data controllers have previously been covered under data protection regulations. This is key, as employers and HR teams will need to consider who is a data controller and who is a data processer in relation to their data since both will have obligations under the GDPR.

Accountability – Key to the GDPR!

The GDPR will introduce a new principle – accountability. This will require organisations not just to comply with the GDPR but to ensure they have evidence to demonstrate their compliance. Therefore it will also be important for employers to keep accurate and effective records of the data processing activities to comply with the GDPR.

What does accountability in practice look like for employers/ HR teams?

  • Employers/HR teams should put in place measures to ensure they are complying with the GDPR and have evidence to demonstrate their compliance. Conducting an internal audit of processing activities to identify what processing employers/HR teams actually carry out is critical to compliance and will provide knowledge and understanding of what personal data is processed; with this, employers/HR teams will be able to address compliance properly. Changes could include changing data protection statements in contracts of employment, updating or putting in place new data protection policies, or implementing a new data protection training regime. The key here is to review all existing practices to ensure they comply with the GDPR and identifying areas where there might be compliance issues come 2018.
  • Maintain documentation on the processing activities carried out.
  • Appoint a Data Protection Officer (DPO) where required.

Privacy by Design

One of the integral policies under the GDPR is ensuring that organisations "bake" privacy into all of their procedures and policies to ensure compliance with the GDPR.

This GDPR principle aims to put data protection and privacy at the heart of organisations' policies and procedures to encourage data protection compliance from the outset and not as an afterthought.

To comply with this, organisations should consider data protection at the outset when implementing new procedures and policies, for example, outsourcing pension administration, putting data in the Cloud, or even outsourcing HR functions.

What does this mean in practice?

  • Transparency with regard to the functions and processing of personal data – this is all about giving the data subject control over how their data is processed. Data subjects should be told what data is being collected, for what purposes the data will be used and the details of the controller and processor (if not the same person).
  • Minimising the processing of personal data, where possible and not necessary for the purpose of the processing.
  • Pseudonymising personal data – this means having a system in place where personal data cannot be identified to the data subject unless additional information is provided.
  • Privacy Impact Assessments – this will affect employers and HR departments more than other organisations as various aspects of HR activity, for example, recruitment and post-employment issues, would require a PIA to be conducted. This allows organisations to see the potential dangers with data processing activities from an early stage and allows mechanisms to be created to mitigate this risk before it becomes a reality.

How can employers/HR teams prepare?

  • Review data management records to ensure that compliance with the GDPR.
  • Ensure use of PIAs where appropriate to identify potential data protection risks at an early stage.
  • Review the data currently held to ensure that the processing will be compliant with the GDPR.
  • Read our blogs and come to our GDPR seminars!

Our next blog, "Lawful Processing", will be out later this week!

We are running seminars on the GDPR in May and June. If you would like to know more about how your organisation can prepare for the GDPR, sign up by clicking on the most suitable date below:

Prepare your business for the GDPR – 18 May 2017 (Edinburgh)

Prepare your business for the GDPR – 25 May 2017 (Glasgow)

Prepare your business for the GDPR – 1 June 2017 (Stirling)

Prepare your business for the GDPR – 8 June 2017 (Dundee)

© MacRoberts 2017

Disclaimer

The material contained in this article is of the nature of general comment only and does not give advice on any particular matter. Recipients should not act on the basis of the information in this e-update without taking appropriate professional advice upon their own particular circumstances.