Why the GDPR will change how HR treats employee data
New regulations will prompt cultural changes in HR’s attitudes towards collecting and protecting sensitive employee data, experts argue
Any HR professional worth their salt will be aware that significant changes to how employee data is collected and stored come into effect on 25 May 2018, when the General Data Protection Regulation (GDPR) will be enforceable across the EU, including in the UK. Not only will the requirements on data controllers and data processors be more stringent, but the potential fines for non-compliance will rise: to a maximum of €20 million, or 4% of turnover (whichever is higher), for the most serious cases.
The GDPR’s requirements will inevitably touch every stage of the employee lifecycle. But, despite the widespread publicity and long run up to the legislation’s introduction – and the fact that nearly half of HR professionals surveyed by the CIPD recently said it was their biggest concern for 2018, and 89% of those we surveyed named it as a focus area – anecdotal evidence suggests many HR teams still have work to do. “Most of the organisations that I’ve come into contact with have a plan, but maybe aren’t as comfortable with their position as they’d like to be,” says David D’Souza, membership director at the CIPD.
Sarah Dillon, director at ESP Law, agrees: “One of my clients has almost finished their work, but are waiting for the final bill to be produced by the government. On the other hand, there are people we talk to who either don’t know about it or are thinking they can just sort it out later.”
“HR needs to strike a real balance between being paranoid about some of the broader changes of GDPR, and at the same time being incredibly well prepared for it, given the information that we do have,” adds D’Souza.
There’s a significant amount of work for HR to do before 25 May 2018. It will need to map all the data it collects on its employees, categorise it, determine which of the six lawful bases for processing apply in each case, and gain explicit consent from employees if relevant. “You don’t need consent for passing payroll details to HMRC, for example, because there is a legitimate interest for doing so,” says Dillon. “But things are more complex if, for example, you use a fingerprint clocking in and out system: is consent needed, or does that fall under one of the other reasons? It’s actually a very big job for employers – and they need to keep records of what actions they’ve taken and why.”
“HR needs to strike a real balance between being paranoid about the GDPR, and being incredibly well prepared for it”
Given that data analytics is becoming an increasingly core component of HR’s role – and, as Josh Bersin, principal at Bersin by Deloitte, notes, employers are collecting more data on workers than ever – ensuring compliance with data protection regulations and guarding against cybersecurity breaches is becoming more and more vital.
Kathryn Kendall, chief people officer at Benefex, says she’s taken a “systematic” approach, reviewing the handling of data at each stage of the employee lifecycle to identify and implement improvements with the support of the company’s information security director.
While the administrative obligations are big enough undertakings on their own, HR has another significant job to do: to engender a data-aware culture within the organisation. “Organisations need to make sure they are operating not just within the letter of the law, but within the spirit of the legislation,” says D’Souza.
Kendall says she’s fortunate that, because Benefex’s business model depends on data, “there’s a real heavy onus in the business in terms of getting people to understand that the data is everyone’s responsibility; that it’s not the responsibility of our directors, or our security team – it belongs to every single person in the business. That culture makes my life a lot easier.”
So what else will HR need to worry about? Dillion warns that the end of fees for subject access requests (SARs) – which cost £10 under the Data Protection Act but will be free from 25 May 2018 – could mean employers will face a significantly larger administrative burden. “That £10 fee used to put off quite a few people from putting in the request, so I expect the number that organisations will receive to increase quite significantly. They also have less time to comply with the request; it used to be 40 days, but under the GDPR, they will have only 30 days.”
“Organisations need to make sure they are operating not just within the letter of the law, but within the spirit of the legislation”
Employers have a right to turn down requests that are too ‘complex’, but there’s currently no legal definition of what that means in practice. “That’s a big outstanding question: at what point does a SAR become too complex or expensive or unreasonable?” says Dillon. “For example, one client had someone request all the emails related to her for specific dates over a 10-year period. That search brought back 65,000 emails, and each had to be looked at to decide if it included personal data or not. Under the old regime, we could say: ‘that’s an unreasonable request, you need to refine the scope of your search’. That’s not going to be as clear under the GDPR.”
In larger organisations, Dillon says that carrying out SARs will involve a number of teams: HR will likely be the initial recipient of a request, with IT carrying out data searches, and then a data protection officer or in-house legal team may review the data and sift out what’s relevant to the request. “But if you are in a smaller business, it’s going to be you, as HR, who does all this.”
The GDPR also features detailed requirements around the portability of employee data, adds D’Souza: “An employee will be able to request from a former employer the data it holds on them, in a format that would be easily moveable to, for example, a new employer or a health organisation you wanted to liaise with.” Of course, employers will still need to hold on to selected employee documents for the required period of time, notes Dillon. “HR will probably have to tell the employee, ‘I have sent XYZ but I have retained copies of these documents, and these are the reasons why.”
While admitting the GDPR’s introduction is a “seismic change”, Kendall remain optimistic about its likely impact. “I see it as an opportunity to get to get our houses in order; there’s nothing in the regulations that’s outrageous or unreasonable. Provided you are pragmatic and proactive in your approach, I don’t think there is anything to worry about.”