Practical Tips on GDPR for HRPosted in : Supplementary Articles NI on 21 August 2018
This is an article about the four letters in GDPR – the General Data Protection Regulation. GDPR has a direct effect across all EU member states however, it gives member states limited opportunities to make provisions for how it applies in their country. The Data Protection Act 2018 outlines these details.
Now that we have had a few months for the new Act to bed in, we will take a look at some key issues under the four most hated letters in the English language: G D P & R…
1. Know Your Data
It is crucial to delineate what information you hold on your employees. HR practitioners manage endless amounts of employee data. Some of this will fall into what was previously classed as sensitive data and is now classed as ‘special category’ data. It is important to understand what data you are capturing within your organisation, more specifically, how it is processed, what you do with it, and who you share it with. This can be achieved by carrying out an audit or data flow analysis exercise.
And of course, you must have a valid lawful basis in order to process personal data. There are six available lawful bases for processing. No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the individual. Most lawful bases require that processing is ‘necessary’. If you can reasonably achieve the same purpose without the processing, you won’t have a lawful basis.
It is also important to note that if you outsource any of your HR functions, GDPR gives processors responsibilities and liabilities in their own right, and processors, as well as controllers, may now be liable to pay damages or be subject to fines or other penalties. It is crucial to have a contract in place and that both parties understand their responsibilities and liabilities.
You must determine your lawful basis before you begin processing. You should document it and you should take care to get it right first time, as it will be much harder to swap between lawful bases at will if you find that your original basis was invalid.
The GDPR brings in new accountability and transparency requirements. You should therefore make sure you clearly document your lawful basis so that you can demonstrate your compliance in line with Articles 5(2) and 24.
Your privacy notice should include your lawful basis for processing as well as the purposes of the processing.
The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
Special Category: Special category data is personal data that is more sensitive, and so needs more protection, for example, information relating to data subjects disability, ethnicity, religion or health. In order to lawfully process special category data, you must identify both a lawful basis under Article 6 and a separate condition for processing special category data under Article 9. These do not have to be linked.
There are ten conditions for processing special category data in the GDPR itself, but the Data Protection Act 2018 introduces additional conditions and safeguards.
Consider whether your organisation has any special security measures in place for the processing and transfer of this type of information.
2. Know How and When to Report a Data Breach
The GDPR introduces a duty on all organisations to report certain types of a personal data breach to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach, where feasible.
If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay.
You should ensure you have robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making about whether or not you need to notify the relevant supervisory authority and the affected individuals.
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data required to notify.
When reporting a breach, the GDPR says you must provide a description of the nature of the personal data breach including, where possible:
- the categories and approximate number of individuals concerned; and
- the categories and approximate number of personal data records concerned;
- the name and contact details of the data protection officer (if your organisation has one) or other contact point where more information can be obtained;
- a description of the likely consequences of the personal data breach; and
- a description of the measures taken or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.
3. Understand the Increased Rights of Individuals
The GDPR provides the following rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
The right to be informed: Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR.
You must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’.
You must provide privacy information to individuals at the time you collect their personal data from them.
If you obtain personal data from other sources, you must provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month.
You must regularly review, and where necessary, update your privacy information. You must bring any new uses of an individual’s personal data to their attention before you start the processing.
Getting the right to be informed correct can help you to comply with other aspects of the GDPR and build trust with people, but getting it wrong can leave you open to fines and lead to reputational damage.
The right of access: Living individuals (‘data subjects’) have the right to access their personal data. This is commonly referred to as subject access. Individuals can make a subject access request verbally or in writing. You have one month to respond to a request. You cannot charge a fee to deal with a request in most circumstances.
Responding to a subject access request may involve providing information that relates both to the individual making the request and to another individual.
The DPA 2018 says that you do not have to comply with the request if it would mean disclosing information about another individual who can be identified from that information, except if:
- the other individual has consented to the disclosure; or
- it is reasonable to comply with the request without that individual’s consent.
You can refuse to comply with a subject access request if it is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature.
The right to rectification: The GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete. An individual can make a request for rectification verbally or in writing.
You have one calendar month to respond to a request. In certain circumstances, you can refuse a request for rectification. This right is closely linked to the controller’s obligations under the accuracy principle of the GDPR (Article (5) (1) (d)).
The right to erasure: The GDPR introduces a right for individuals to have personal data erased. This is also known as ‘the right to be forgotten’. Individuals can make a request for erasure verbally or in writing. You have one month to respond to a request. The right is not absolute and only applies in certain circumstances.
The right to restrict processing: Article 18 of the GDPR gives individuals the right to restrict the processing of their personal data in certain circumstances. This means that an individual can limit the way that an organisation uses their data. This is an alternative to requesting the erasure of their data.
The right to data portability: The right to data portability gives individuals the right to receive personal data they have provided to a controller in a structured, commonly used and machine-readable format. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.
The right to object: The GDPR gives individuals the right to object to the processing of their personal data in certain circumstances. Individuals have an absolute right to stop their data being used for direct marketing.
In other cases where the right to object applies you may be able to continue processing if you can show that you have a compelling reason for doing so.
Rights relating to automated individual decision-making and profiling: The GDPR has provisions on automated individual decision-making (making a decision solely by automated means without any human involvement); and profiling (automated processing of personal data to evaluate certain things about an individual).
4. Ensure Accountability
Accountability is one of the data protection principles - it makes you responsible for complying with the GDPR and that you must be able to demonstrate your compliance. You need to put in place appropriate technical and organisational measures to meet the requirements of accountability.
There are a number of measures that you can, and in some cases must take including:
- adopting and implementing data protection policies;
- taking a ‘data protection by design and default’ approach;
- putting written contracts in place with organisations that process personal data on your behalf;
- maintaining documentation of your processing activities;
- implementing appropriate security measures;
- recording and, where necessary, reporting personal data breaches;
- carrying out data protection impact assessments (DPIAs) for uses of personal data that are likely to result in high risk to individuals’ interests;
- appointing a data protection officer; and
- adhering to relevant codes of conduct and signing up to certification schemes.
Accountability obligations are ongoing. You must review and, where necessary, update the measures you put in place. If you implement a privacy management framework this can help you embed your accountability measures and create a culture of privacy across your organisation. Being accountable can help you to build trust with individuals and may help you mitigate enforcement action.
5. Train Your Staff and Update Your Policies
You should provide data protection training for all staff on GDPR implications ensuring they are aware of the relevant policies and changes.
Organisations are increasingly vulnerable to the risk of loss, damage or destruction of their data and the new requirement to notify the ICO within 72 hours of a breach means you should ensure staff are trained on how to keep data secure.
A key principle of the GDPR is that you process personal data securely by means of ‘appropriate technical and organisational measures’ – this is the ‘security principle’.
Doing this requires you to consider things like risk analysis, organisational policies, and physical and technical measures. Where appropriate, you should look to use measures such as pseudonymisation and encryption.
Data Retention and Disposal Policy: One of the six privacy principles under the GDPR is “storage limitation.” This should include the measures you are taking to ensure the security of data during the period it is retained, and how you will securely dispose of the data when it is no longer needed. The GDPR does not specify particular retention periods, but you should not hold on to data longer than necessary.
Privacy Notice: Staff need to be informed about the data you hold about them, how it will be processed, details about the organisation’s lawful right to process it, and how their right to privacy will be respected.
Data Subject Access Requests Policy: Data subjects – those whose data is held or processed by an organisation – have the right to make a subject access request to find out what information is held about them. There is now a shorter timeframe for response (one month) and no fee payable, make sure your policy reflects this.
Data Breach Reporting Policy: HR departments need to inform their staff about the steps an organisation would take in the event of a data breach. This should be a comprehensive plan that follows the guidelines set out by the ICO, and include the need to report data breaches within 72 hours and inform the relevant parties.
D – Data - What data is protected and what to do when an employee asks for references about them in their personnel file or in an investigation report to be expunged.
What data is protected by the DPA?
The Data Protection Act 2018 defines personal data as any information relating to an identified or identifiable living individual. Any individual so identified is the ‘data subject’.
The ICO website states that data is:
- Personal data is information that relates to an identified or identifiable individual.
- What identifies an individual could be as simple as a name or a number or could include other identifiers such as an IP address or a cookie identifier, or other factors.
- If it is possible to identify an individual directly from the information you are processing, then that information may be personal data.
- If you cannot directly identify an individual from that information, then you need to consider whether the individual is still identifiable. You should take into account the information you are processing together with all the means reasonably likely to be used by either you or any other person to identify that individual.
In the context of an employment relationship, personal data will include an employee’s name, gender and other social characteristics, such as race or religion and date of birth; home address and contact details; employment history information; payroll and tax information; bank account information; NI number; and just about any information that relates to an identified or identifiable employee.
Requests for Erasure
Once a request for erasure is made on one of the bases in Article 17(1), the employer must erase it without delay unless continued retention is necessary for certain specified reasons contained in Article 17(3), including the need to comply with a legal obligation; exercising an official authority; and the establishment, exercise, or defence of legal claims.
P - Protection of personal data - how to encrypt HR data, protocols for mobile devices and practical advice for staff when working from home.
Encryption protects information stored on mobile and static devices and in transmission. It is a way of safeguarding against unauthorised or unlawful processing of data. There are a number of different encryption options available. Organisations should consider encryption alongside other technical and organisational measures, taking into account the benefits and risks that it can offer.
Data controllers should have a policy governing the use of encryption, including guidelines that enable staff to understand when they should and should not use it.
Guidance on how to implement encryption can be found on the ICO website:
There is a recent trend to allow employees to use their own devices at work. Essentially, this means that the device is connected remotely to company systems. There are obvious risks in this - the employee's personal device can be lost or stolen, confidential proprietary information can go missing more easily, and there are legal risks as well, as the device is not owned by the company but is responsible for the personal data belonging to the company that may be on the device. If a company allows its employees to use their own devices at work it is essential to have a ‘bring your own device’ policy in place to address these issues.
Organisations should consider encryption, automatic data deletion and remote data deletion to minimise the risks involved. Many companies have an ability to delete their information remotely. This means that if the employee loses his device, the company may be able to recover or delete company information from it.
Nowadays there is an increasing number of employees working from home. It is important for employees to ensure confidential information is safe and secure whilst doing so. Staff need to understand the importance of protecting personal data, become familiar with their organisation’s security policy and put its procedures into practice.
R - Regulation and compliance - how to build data protection into your HR meetings, training and decision-making processes.
Data protection by design and default: You should integrate appropriate technical and organisational measures into your processing activities and business practices to implement the data protection principles and safeguard individual rights. This is ‘data protection by design and by default’.
Data protection by design and by default are legal requirements under the GDPR, as outlined in Articles 25(1) and 25(2).
Data protection by design is ultimately an approach that ensures you consider privacy and data protection issues at the design phase of any system, service, product or process and then throughout the lifecycle.
As expressed by the GDPR, it requires you to:
- put in place appropriate technical and organisational measures designed to implement the data protection principles; and
- integrate safeguards into your processing so that you meet the GDPR's requirements and protect the individual rights.
Data protection by default requires you to ensure that you only process the data that is necessary to achieve your specific purpose and links to the data protection principle of data minimisation.
You must consider things like:
- adopting a ‘privacy-first’ approach with any default settings of systems and applications;
- ensuring you do not provide an illusory choice to individuals relating to the data you will process;
- not processing additional data unless the individual decides you can;
- ensuring that personal data is not automatically made publicly available to others unless the individual decides to make it so; and
- providing individuals with sufficient controls and options to exercise their rights.
The key is to take an organisational approach that achieves certain outcomes, such as ensuring that:
- you consider data protection issues as part of the design and implementation of systems, services, products and business practices;
- you make data protection an essential component of the core functionality of your processing systems and services;
- you only process the personal data that you need in relation to your purposes(s), and that you only use the data for those purposes;
- personal data is automatically protected in any IT system, service, product, and/or business practice so that individuals should not have to take any specific action to protect their privacy;
- the identity and contact information of those responsible for data protection are available both within your organisation and to individuals;
- you adopt a ‘plain language’ policy for any public documents so that individuals easily understand what you are doing with their personal data;
- you provide individuals with tools so they can determine how you are using their personal data, and whether you are properly enforcing your policies; and
- you offer strong privacy defaults, user-friendly options and controls, and respect user preferences.
DPIAs (Data protection Impact Assessments) are an integral part of data protection by design and by default. They can be used to identify and reduce the data protection risks of your processing activities. They can also help you to design more efficient and effective processes for handling personal data.
This HR Checklist for GDPR Compliance composed by People HR is a useful tool to use when attempting to incorporate data protection principles into your training and processes: https://www.peoplehr.com/includes/down/GDPR_Checklist_for_HR.pdf
This 9 step guide from the EU GDPR Academy also offers comprehensive advice on how to implement GDPR into your projects: https://advisera.com/eugdpracademy/knowledgebase/9-steps-for-implementing-gdpr/
This article is for general information purposes only and does not constitute legal or professional advice. Most of the guidance contained in this article was derived from information found on the ICO website.
The information in this article is provided as part of Legal-Island's Employment Law Hub. We regret we are not able to respond to requests for specific legal or HR queries and recommend that professional advice is obtained before relying on information supplied anywhere within this article.