The new and incredibly unforgiving GDPR rules are due to be implemented in the UK by the 25th May 2018 and have been designed to replace the outdated Data Protection Act of 1998.
One of the General Data Protection Regulation’s most crucial measures is the heightened right for individuals “to be forgotten” on social media, and the fact that you may request for companies to erase all of your personal data – which, should they fail to do so, will be charged a monumental fine.
It has been said that the huge surge in cyber-attacks affecting businesses globally and their devastating consequences have acted as a motive for officials to formally rethink the Data Protection Rules.
Under the new rules, a business must have the consent of the individual to store their data and they must remove it instantly when consumers make this request.
The GDPR was established in Europe but will hugely impact British companies of any size. Many employers are under the impression that the changes will not affect them due to Brexit, but this is not true as the UK will still be a part of the EU when the rules are put into action.
Despite the introduction date being less than 10 months away, a Cyber Governance Health Check report confirms that only 6% of the UK’s FTSE 350 are completely GDPR compliant, with more than half admitting that a lack of cybersecurity is their company’s biggest risk.
Another vital feature of the GDPR is the eye-watering fines that have sent many business owners into a frenzy should they fail to comply.
The penalty for violations of security and record keeping, or failure to notify consumers of a breach is going to be around £9m, but this fine is doubled in the event that someone’s personal data and freedom rights have been breached (for example, a firm refusing to delete someone’s data despite it being requested).
These fines could potentially put a company out of business for good, which should be more than enough encouragement for employers to enforce necessary changes immediately – especially in the HR department, where some of the company’s most sensitive information will likely reside.
The GDPR will undeniably create many challenges for HR consultants, and it could be argued that the fate of a company will depend on how thoroughly their HR department make preparations for the change.
How Should HR Professionals Be Preparing for the GDPR?
Below is a list of steps we highly recommend any HR department in any industry follows, in order to prepare for the changes and ensure your business is compliant.
1) Educate yourself on employee rights.
The GDPR brings significant changes to employees’ rights, as they will have a more prioritised entitlement to the following;
– The right to know why and how employers will be processing data.
– The right to access their own personal data and make amendments.
– The right to seek complete removal of their data from the workplace system.
Knowing these rights will enable you to accurately inform employees about the changes and help with your overall understanding of how the GDPR will come into effect.
You must also ensure that there are stricter penalties in place for staff who do not comply with the rules. For example, if a recently resigned employee whose job role involved handling confidential customer data took this information elsewhere, you should report them to the ICO.
2) Create a Data Breach Response Plan.
If the worst happens, and your IT systems are hacked or data is unlawfully shared, it is imperative you have a response plan in place to minimise the damage effectively.
The GDPR requires anyone who faces a data breach to notify the ICO and any affected clients or employees within the first 72 hours, and with such a limited time scale, it would be entirely worthwhile to figure out how you will handle the notification process (e.g. creating an email or letter template to send to clients).
This step also helps your company rebuild customer trust and reputation if they can clearly see you are trying to resolve the issue, as well as keep them in the loop.
3) Be aware of the SAR (Subject Access Request) changes.
When the GDPR changes are introduced next year, the following amendments will be made to Subject Access Requests (a written request made by the individual to the organisation holding their personal data):
– The current £10 fee which companies can charge for SARs will be erased, unless the request is “manifestly unfounded or excessive” in which case a firm may charge the individual a reasonable fee.
– Upon receiving a SAR, you must respond to it within one month, which is a shorter time frame than the current 40 day period.
– Individuals will be able to submit a request electronically (such as by email) and will receive a reply through similar means of communication unless stated otherwise.
– Data controllers and processors have the right to withhold data should they believe that disclosing it would ‘adversely affect the rights and freedoms of others’.
4) Make required changes to the recruitment process.
A pivotal duty of HR consultants is managing the recruitment for their company, and this naturally involves the processing of lots of data. One of the main goals of the GDPR is to encourage companies to delete unnecessary or outdated information, and this will affect the way the recruitment process works significantly.
For example, say an individual submitted their CV to a recruitment team but did not successfully get past the interview stage; it would be highly recommended that the team then deletes their data instantly rather than build up a talent pool.
Although it has not yet been clarified, there has been a lot of speculation that routine criminal history checks will no longer be permitted under the GDPR rules as this is not required in UK law. Individuals who work with elderly people and children will still be required to complete a Disclosure and Barring Service check.
5) Use data for its intended purpose only.
HR consultants have to be able to provide complete transparency when explaining their intentions for withholding a client’s data, and they must use it for these purposes only.
Earlier this year in March, the airline Flybe was fined £70,000 for sending as many as 3.3 million unsolicited marketing emails to customers, which is a high-profile example of an organisation breaking data laws.
An additional point to consider would be that large businesses which handle lots of data electronically, or any businesses involved with the public authorities, now must appoint a Data Protection Officer as a legal requirement (they are not a compulsion in other businesses but we highly recommend hiring one).
A DPA will work closely with your company and ensure everything that you do is legally compliant with the changes. This is also a service our esteemed team of employment law advisers can provide you with.
With the clock ticking, we strongly advise that you begin making the necessary changes to the way your company processes data immediately.
The GDPR rules will affect the way in which HR departments operate significantly, but making preparations as early as possible will ensure your company’s data system is robust and that your client’s information is safe.
At PeoplePointHR, our consultants and experienced employment law advisers have extensive knowledge of employment law and can help you to ensure every aspect of your business is legally compliant with the changes.