9 April 2018
The GDPR: what do HR professionals need to know?
As an HR professional, chances are you have been overwhelmed with GDPR-related news this last year. But with so much information available, it can be difficult to know exactly how the GDPR will affect you and your work.
To help you get your head around the coming changes, here are some of the key GDPR issues for HR professionals – and some tips on how to prepare.
The GDPR will extend the rights of data subjects, providing employees with greater transparency and control over how their data is processed. This will place further obligations on employers and could potentially disrupt current HR practices.
Although there is a legal requirement for the limited retention of HR and payroll records, in some cases the new ‘right to be forgotten’ will allow employees to request that their personal data be erased from company records. In addition, employees have a right of access to their personal data and can also request that it be changed or erased if incorrect.
Employees can formally request to see a record of the personal data processed by their employer, known as a subject access request (SAR). Under the GDPR, employers must respond to a SAR without undue delay, but at most within 30 days of receipt. As a HR professional, you need to know how to deal with subject access requests, what kind of personal information is being processed and how to locate it.
Although the majority of HR personal data that is processed will not require consent as the legal basis for processing, some areas such as the initial stages of recruitment may do. Where this is the case, and for other consent-based processing, the GDPR does impose stricter rules.
Gone are the days of indecipherable consent clauses, legalese and opt-outs. Instead, consent must be given freely and actively, with the terms and conditions written in a manner understandable to all.
Under the GDPR, data processed by an organisation should be “adequate, relevant and limited to what is necessary for the purpose it was collected.” Put simply, keep it short and sweet. When you start to process unnecessary data, you put yourselves at potential risk of a breach.
The key thing here is what is necessary for the purpose; you cannot collect personal data because it might be useful, or if no specific purpose for it has been identified. This will be particularly challenging for HR departments that process vast amounts of data.
In order to be GDPR compliant, organisations will have to implement data minimisation rules and processes at every step in the data lifecycle.
The GDPR also states that data shall be “kept in a form that permits identification of individuals for no longer than is necessary for the purposes for which the personal data is processed.” This means that organisations need to have a retention policy in place and anonymise or delete personal data once it has been used for its intended purpose. Thankfully, HR and payroll software can help by allowing you to set data retention rules on a mass scale.
In some situations, companies will be required to report a personal data breach to the relevant supervisory authority within 72 hours of its discovery. To avoid hefty fines, HR departments should have a set procedure in place in the event of a data breach, which all HR professionals should be familiar with.
Organisations must provide data subjects with a privacy notice at the point when the personal data is gathered. In HR terms, this means you must notify candidates and new recruits that their personal data is being processed.
The GDPR states that a privacy notice is a statement made to a data subject that describes how the organisation collects, uses, retains and discloses their personal information. It needs to be concise, transparent, intelligible and easily accessible, and written in clear and plain English.
Your privacy notice should tell people:
- Who you are
- What you are going to do with the information
- Who it will be shared with
Top Tips to Prepare for GDPR
A company’s ability to adapt to the GDPR will be the difference between success and failure in the new data protection environment – so preparation is key. From a HR perspective, there are a number of practical things you can do to get your department up to speed.
- Knowledge is power
From support staff to directors, all HR professionals will be affected by the coming changes. Proper GDPR training will ensure that your team is well informed, both individually and collectively. HR departments must be armed with knowledge if they are to successfully navigate the road ahead – and avoid those eye-watering fines.
- Know where you stand
In order to get compliance-ready, you’ll need to know the extent of the personal data your company processes and how it is used. A data audit will provide a clear picture of where you stand and what you need to do in order to achieve compliance.
- Revise, rewrite, update
- Act now
GDPR is imminent, and there is much for HR departments to do before it is implemented. While the task ahead may be daunting, effective planning and preparation will ensure your company transitions smoothly into the new data protection era. With the clock ticking, GDPR compliance should be top of the HR agenda between now and 25 May.
At MHR, we understand the challenges that organisations face in preparing for the GDPR. That’s why we offer a range of services designed to help you get up to speed, from our online GDPR Staff Awareness training course to our handy GDPR self-assessment form. Our award-winning iTrent software also comes with a number of enhancements designed to help you carry out GDPR-related HR and payroll tasks quickly and easily.