With the new European Union General Data Protection Regulations being less than a year away, more and more people are becoming aware of it as there is potentially a lot of work for organisations to do to ensure that they are compliant. Most of the awareness however is within organisations’ marketing and IT departments but it is important to realise that the implications of GDPR are much more wide ranging than just these areas. One of the other areas of business that should be actively engaging with GDPR is the Human Resources (HR) function.
How GDPR Will Affect The HR Function
Much of what GDPR is about centres around the issue of consent. As it stands, many employers gain the consent of an employee to process their data by including a clause within their employment contract. However, the new European Union General Data Protection Regulations will tighten up significantly the rules for gaining consent. Consent as defined by GDPR Article 4 (11) states:
“ ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;”
The key difference between the situation now regarding consent and how it will be under GDPR is that consent now has be informed, explicit and given. That means that it cannot just be put somewhere at the back of an employment contract. HR departments will also be required to think about what reasons they have to justify the processing of employee data, such as the need to comply with a legal obligation or to perform a contract.
Paula Barrett, global head of privacy and information law at Eversheds Sutherland, says HR should be using consent as a “last resort”, particularly given growing rhetoric that employees are never truly free to give consent to their employer because there might be adverse consequences if they say no, as well as the fact that consent can be withdrawn at any time.
HR need to be aware that under GDPR, if there is a data breach, the organisation will have to disclose it to appropriate authorities within 72 hours. If the breach is a particularly serious one and one that carries a high degree of risk to the individuals concerned (including employees) then the business will need to inform them too.
Right To Be Forgotten
Perhaps one of the most interesting parts of the new European Union Data Protection Regulations is the right to be forgotten. It currently exists under European law but the GDPR will really entrench it into all national legislations. The fact that it will include information held in HR files on employees could cause problems for HR departments who will need to balance handling historic staff issues with the new obligations.
“To give you an example, if someone gets a warning for something, the Information Commissioner says that, once the warning’s spent, you shouldn’t retain those records,” says Allen. “Most employers do retain the records because, when the same issue arises years later, they want to know that the issue happened before.”
Those HR departments that have not started to engage with GDPR yet should do so iminently as the new regulations are due to come into force in May 2018.