The General Data Protection Regulation (GDPR) applies to the personal data of individuals in the EU that a business processes, meaning that the Human Resources department will be one of the most heavily impacted functions due to the quantity and sensitivity of the data that it processes.
In almost all organisations, the employer is the data controller when it comes to employee data, meaning that the company is solely responsible for defining how the data will be processed. (See also: EU GDPR controller vs. processor – What are the differences?) This article describes the key steps that the HR team should consider when reviewing HR data processing in line with the GDPR.
1) Where is the data?
Carrying out a complete data audit to identify the locations where HR data is held is one of the first steps towards compliance. This exercise may uncover unnecessary data duplication. In these cases, you should select the most appropriate location to keep the data. Having a dedicated HR software system that can be accessed by the relevant people – e.g., line managers – can be an effective way of managing your data.
Once you have defined the locations of your data, document them. Documenting your data processing activities is vital in order to demonstrate compliance to regulatory bodies, such as the Information Commissioner’s Office. Each activity should also have someone clearly identified who is accountable for ensuring that the data is protected. In the case of employee data, your HR Manager or Director would fit the bill. Learn more here: Implementing 3 main accountability principles under the EU GDPR.
2) Do I need the data?
Can you minimise the amount of data that you collect? Remember, the more data that you hold, the more data you need to protect. Therefore, only collecting the data that is essential for the performance of the HR function is highly recommended and, of course, is a key principle of the General Data Protection Regulation. Your organisation should conduct a review of the employee data that it collects and, if possible, reduce the amount of data held. Data should be assessed on the basis of whether it is necessary to be processed in order to carry out the HR function effectively.
Another key consideration when storing and processing employee data is the length of time that the data is required to be stored. Article 5(e) of the GDPR states that personal data shall be kept for no longer than is necessary for the purposes for which it is being processed. Therefore, upon reviewing the GDPR requirements, it may be necessary to update your data retention policy. When considering retention periods, you will also need to include appropriate legal requirements; for example, UK businesses are obligated to have seven years’ worth of employee PAYE and National Insurance data available for the HMRC.
3) Why am I processing this data?
Once you have identified the data that you require, consider your lawful basis for processing the data. The six lawful bases covered under GDPR are:
- Consent
- Contract
- Legal obligation
- Vital interests
- Public task
- Legitimate interests
Under the current Data Protection Act, consent is used as a common lawful basis for processing employee data. However, under the GDPR, this may no longer be a viable option. This is because the GDPR specifies that “consent must be freely given.” Given that the employee is entering into a contract for employment, they are not likely to decline to provide personal information. See also: Is consent needed? Six legal bases to process data according to GDPR.
Consider your legal obligations and legitimate interest instead. The GDPR also states that consent must “be separate from other terms and conditions,” meaning that relying on a clause within a contract of employment is also not an option.
One basis that could be used is the legitimate interests of the business. This is under the condition that the processing is “necessary for the purposes of the legitimate interests … except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.” Therefore, it is important to consider the impacts on the data subject. Another basis that could be considered is the basis of legal obligation – for example, in order to fulfil a contractual agreement.
Remember, if you can’t justify your legal basis for processing data, you could face large fines.
What should HR consider in line with GDPR?
This article has provided guidance on three areas that should be incorporated into your review of HR data processing activities. Key takeaways for HR professionals to consider are:
- What data is processed
- Where data is stored, and for how long
- Why data is collected, and under which lawful basis
With fines of up to €20 million, it is crucial that all businesses comply with the upcoming General Data Protection Regulation well ahead of the 25th May due date. Each organisation is different, and all companies must assess their own data processing activities in order to ensure that they are compliant with the upcoming GDPR.
To help you establish good security practices within your company and ensure greater data protection throughout different departments, try this online Security Awareness Training.