Jo Stubbs, Head of Content at XpertHR Group
The EU General Data Protection Regulation (GDPR) comes into force on 25th May 2018. It replaces the Data Protection Act 1998 in the UK and marks the start of a radical new data protection landscape, with significant penalties for non-compliance.
In general, the impact on the UK’s financial sector will be significant given the huge number of records and data transactions they handle every year – but organisations also specifically need to consider how the GDPR will affect them from an HR perspective.
XpertHR research[i] carried out earlier this year suggests that the vast majority of HR professionals do not have a good understanding of the upcoming GDPR, with 51% of respondents describing their level of understanding as low, and 45% saying they had only “some” understanding. Just 4% of respondents said they had a good understanding of GDPR requirements.
With six months to go, it is imperative organisations understand the implications of GDPR from an employment perspective or they risk heavy fines, as well as potential reputational damage for failing to comply. Fines of up to €20 million or 4% of global annual turnover for the preceding financial year, whichever is greater, could be levied.
Ensuring compliance will require substantial investment in terms of money, organisational resources and management time, so the sooner companies start preparing the better.
What are the implications of the GDPR for HR?
The GDPR will introduce a system of “data protection by design and default”, requiring organisations to take data protection risks into account throughout the design and operation of all policies, processes, products and services – including HR policies and procedures.
While employers currently typically rely on employee consent to process their data – often given via a broad clause in employment contracts – under the GDPR this will be much harder and they will generally have to find an alternative basis. In addition, employers will be required to keep extensive records, including the type of employee data they process and the reasons for processing it.
Employees’ right to receive a copy of all data held on them by their employer will also be strengthened, with fees for such data subject access requests removed and a shortened time frame for employers to provide the information.
How can companies get ready?
It is vital for employers to secure board and senior management level buy-in now to effect compliance across the organisation within the required time frame. They should identify key stakeholders and ensure that the organisation has an executive sponsor on board to support the project through to May 2018 and beyond.
Employers will need to allocate sufficient resources to ensuring compliance with the GDPR, considering the size of their organisation, the types and volumes of data it processes and the level of risk. There is no “one-size-fits-all” solution and the organisation’s structure and culture will play a large part in how it implements its compliance programme.
Cross-functional team work will be crucial and organisations will need their legal, HR, IT and compliance teams to take an integrated approach. They will need to bring together a team with the necessary skills and expertise to develop and implement a compliance programme, setting out the tasks, responsibilities and reporting lines of the individuals involved.
Once the team is in place, it will be important for it to work with each business area to identify the specific privacy risks to which the organisation is exposed, and how the organisation can mitigate or avoid them. The team should carry out an initial review of existing data processing practices against GDPR requirements and identify gaps between current practice and GDPR requirements and assess the level of privacy risk.
Once an organisation has conducted this initial audit and risk assessment, the next step is to develop and implement a GDPR compliance programme, prioritising compliance activity and remedial measures based on areas with the highest risk and most significant impact. The organisation may need to adjust its initial estimate of time frames once it has started its compliance efforts and has a better understanding of how the GDPR requirements relate to its data processing practices and IT systems.
The implementation of a structured programme will assist in mitigating the risk of a fine and reducing the severity of any infringements. Employers should aim to be compliant by 25th May 2018, but this may be challenging in practice, so they should focus on the most important and riskiest areas first.
XpertHR has produced a guide providing an overview of the GDPR changes relevant to HR and the strategic considerations for organisations developing a compliance programme. The guide can be accessed here.