Deadline on data Viewpoint careers advice blog

Deadline on data As the UK begins its journey to leave the EU, regardless of how the Brexit negotiations play out, the General Data Protection Regulation (GDPR) will become law in the UK and across the rest of Europe on 25 May 2018. While its focus is Europe, its repercussions will be global. The fundamental aim of the GDPR is to unify data protection for individuals, handing control of personal data back to the person and giving them the right to know how any company, whether public or private and regardless of its physical location, is handling that data. Under the new rules, organisations must not only be able to prove they have a legal basis to store and use data gathered from individuals, but also provide details, on request, of where their data is stored and for what purpose. Organisations must ensure consent is freely given and there must be affirmative and clear action â€" for example, a positive opt-in â€" from the individual. Furthermore, withdrawal of consent must be simple too. Clearly, this is of huge significance to the HR function charged with managing large volumes of personal or sensitive information, especially in the case of global organisations where access to global data flow and analytics has become increasingly important to their operations. The extent to which organisations will be affected will also vary depending on the nature of the business. Richard Riley, Associate Solicitor in the corporate team at Slater Heelis LLP, says: “Companies facing the biggest challenge in preparing for the GDPR are likely to be those that are data-driven. A small manufacturing company selling to a few distributors, for example, should be able to update their systems and processes relatively easily. However, companies that deal predominantly in personal data will need to look at their operations in detail and ensure that they have appropriate procedures in place. “This will include assessing the basis for their processing, looking at how they comply with the information provision rules, conducting Privacy Impact Assessments, putting personal data protection at the heart of new systems, as well as potentially appointing a Data Protection Officer. These changes are likely to be wide-ranging and will take time to implement.” Recruitment processes will also be affected by the GDPR, but Riley suggests this may not be as much work as it might first appear. He explains: “In order to process personal data, you need to be able to establish a legal basis for doing so, and processing personal data in the recruitment context can potentially satisfy a number of the bases set out under the new regulations. Currently, recruiters and employers typically rely on consent but we may see this change, given that the threshold for consent will change.” As is the case at the moment, the individuals’ rights may outweigh a company’s legitimate interest, or that of a third party; however, companies must consider the reasonable expectations of the individual and, generally speaking, their assessment of their interests against the individuals’ will not change. This assessment, though, must be well-documented and reflect the reformulation that the GDPR poses. Under the terms of the GDPR, data must be kept up to date and inaccurate data will need to be corrected or erased without delay. Employers will only be able to hold data that is necessary for the purpose that is being processed, so retention periods should be set to a minimum, allowing for legal requirements for record retention. The reasons why the data is being processed must be specific, explicit and have a legitimate purpose. There will be greater need for employers to explain their actions and decision-making. Setting priorities Rachel Tozer, Employment Lawyer at Keystone Law, says: “There are undoubtedly tensions between some of these principles and other business interests. For example, the obligations to keep data up to date and only process data which is necessary would suggest that once an employee leaves the organisation, much, if not all, of the data held about them should be deleted. “However, your business must also be mindful of its other legal duties, such as keeping records for tax and immigration purposes.” “The organisation will almost certainly want to keep information about former employees, as it may help in the defence of any employment claims that the former employee may bring. Redundancy selection information about successful candidates may well need to be retained to defend claims brought by those who were made redundant. As with many other regulations, the challenge that the GDPR poses for companies is about changing behaviour “In other words,” explains Tozer, “the reasoning will not always relate to the individual who is the subject of the data. The upshot is that each type of information should be considered and your business should set a destruction period for each type based on objective reasoning.” Companies that fail to comply with the new regulations are taking a significant risk, as the penalties for non-compliance are huge. The most serious infringements of the GDPR carry fines of up to €20 million or up to 4 per cent of total global revenue of the preceding year, whichever is greater. Previously, the Information Commissioner’s Office has fined companies hundreds of thousands of pounds for data protection breaches; these fines could be 75 times larger under the GDPR. The risk of not meeting the GDPR requirements can be expensive in other ways, too. Vivek Dodd, Director of training organisation Skillcast, which works with organisations to create compliance awareness, including preparation for the GDPR, says: “Cyber attacks can cost businesses reputation and the trust of their customers, and such attacks are growing all the time.” “Even a single attack can have a debilitating effect on the targeted organisation. As with many other regulations, the challenge that the GDPR poses for companies is about changing behaviour. They need their staff to appreciate the sensitivity of personal data, handle it with care and comply strictly with any new procedures. Companies can’t turn a switch on and expect their staff to change their conduct overnight. It will require multiple interventions, reminders and training.” GDPR: 10 next steps for HR Rachel Tozer and Sonia Bhola, Employment Lawyers at Keystone Law, detail the necessary next steps for HR teams 1.Set responsibility Establish who will be responsible for data protection compliance. Depending on the nature of the core activities business, some employers will need to appoint a data protection officer (DPO). 2.Forget consent, identify other reasons As consent will not be valid in an employment context, employers need to identify another lawful reason which allows them to process personal data. 3.Privacy policies Rewrite internal data protection policies and subject access policies to include the required new information. 4.Security Work with IT to ensure that appropriate encryption technology is deployed on all company devices issued to employees. 5.Training Provide training to managers, both about the employees’ new individual rights and the new security obligations, and to employees on how to handle the personal data that they will have access to during their employment. 6.Data breach policy Draw up a procedure for handling and reporting data breaches within the time frames required and for establishing who needs to be informed. 7.Retention policy Update (or draft) data retention and destruction policies. 8.Future planning When purchasing new HR software, ensure the structure of the HR databases allows the employer to access the data to comply with the individual rights of access, restriction, objection and portability. 9.Automated decision-making If you use profiling, i.e. fully automated decision-making, implement a procedure for dealing with objections. For example, workplace metrics used during the performance review process should be open to contention. 10.Transfer of data outside of Europe If you transfer personal data outside of the European Economic Area, you will need to put particular arrangements in place to protect that data. If you enjoyed reading the Hays Journal article, these blogs will also be of interest to you: Come on HR â€"  Make  the  most  of  your  Data Training at the top Dont let your business be caught out by disruption The real challenge for digital transformation is not your technology