General Data Protection Regulation

Understand the impact for your HR systems

The General Data Protection Regulation (“GDPR”) comes into force in the EU (including the UK) in May 2018. It will affect all businesses in different ways.

You may have heard about the eye-watering fines and complexity of the GDPR. Don’t panic: learn here what you need to know about the GDPR using our no-fuss interactive Learn-o-Graphic.

Our overview of the main GDPR headlines is below: explore what most interests you to learn more about key concepts, how they affect your business and to assess practical steps.

Core Personal Data Principles
remain the same
A lot is staying the same under the GDPR.
Here is a quick refresher

For a quick reminder, see the UK data privacy regulator the Information Commissioner’s Office useful summary of core principles and key definitions under the law applicable prior to the GDPR’s May 2018 effective date.

Key definitions and principles in the GDPR are set out in Article 4 and Chapter 5 of the General Data Protection Regulation.

Any existing compliance concerns? If so, these are likely to remain problematic under GDPR.
Read on for more details

An example of existing compliance concerns might include: where you rely on so-called “model clauses” as the basis for lawfully transferring personal data outside the EU. As a result of a court ruling, there are question marks over whether these are a safe method for ensuring lawful data transfers; those questions remain under the GDPR.

How can we help?

Auditing your data from scratch to assess data protection concerns can be daunting. We offer a simple, checklist based approach to analyse what data you process, how and why, to identify concerns in a user-friendly structure, and to advise on the options for ensuring compliance.

Territorial Scope
The GDPR will catch businesses which handle personal data relating to individuals within the EU - even if the business is outside the EU.

Was your business previously outside geographical scope of EU data protection laws?
Check whether that's still the case.

The GDPR will catch:

  1. Businesses and employers within the EU which process personal data (regardless of where that processing takes place)
  2. Businesses and employers outside the EU which process personal data relating to individuals who are within the EU, provided the processing relates to:
    • the offering of goods or services to those individuals; or
    • monitoring the behaviour of those individuals.

How can we help?

It will usually be obvious whether you are in scope of the GDPR and need to comply. But if you have any questions about this, please do contact us.

Financial Risk
Penalties for breach of the GDPR will increase, up to 4% of annual worldwide turnover / EUR20M. Some EU states may impose criminal penalties.

Do you need to escalate this issue internally to ensure it receives sufficient management focus and resources?
Here are some practical steps

Some examples of steps to escalate data protection reform:

  1. Note data protection on your risk agenda / get board level buy-in
  2. Appoint a senior officer to be responsible for GDPR compliance. Some organisations are obliged to appoint a Data Protection Officer under the GDPR; assess whether this applies to you.
  3. Watch the Information Commissioner’s Office Messages for the Boardroom.
Accountability and Governance
Requirements increased
In summary, the increased requirements are:
  • Controllers must positively demonstrate compliance; not just respond to breaches or complaints.
  • Larger organisations must meet new record keeping obligations.
  • Controllers must implement "privacy by design" in new processes.
  • Individuals’ rights regarding their data depends on basis for processing.

Do you know what employee personal data you process and why, the legal basis for doing so, how you use it and for how long you keep it?
Discover why you need to know this under GDPR, and what you need to do about it

The new accountability and governance requirements of the GDPR require organisations to take a more structured approach to how they obtain, use, store and delete personal data. In short, they demand:

  • Accountability: not only to comply with the GDPR – but to put in place measures that demonstrate that you do. This may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies
  • Maintenance of documentation on processing activities (only for organisations of 250+ employees)
  • Implementation of policies and system at the outset of any product or process development to ensure data protection compliance (“privacy by design and by default”)
  • Some more risky data processing is subject to a requirement to carry out data protection impact assessments

In practice this means you need to know what employee personal data you process and why, the legal basis for doing so, how you use, store and delete it.

This can cause particular challenges for HR data, as it is likely to include a mixture of:

  1. personal data obtained in a structured way for a particular purpose (eg contact details obtained on recruitment); and
  2. personal data exchanged in an unstructured way (eg via emails, text or instant messaging services: “I’m stuck in traffic” or “I have a migraine and can’t come in today”).

How can we help?

Auditing your data from scratch to ensure you comply with the new requirements of the GDPR can be a bit of a nightmare, especially given the mixed types of personal data held by employers. We offer a simple, checklist based approach to analyse what data you process, how and why, to provide you with a user-friendly structure for ensuring compliance.

Some businesses must appoint a Data Protection Officer, depending on how they use data.

Your business will only need to appoint a DPO if you:

  • carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
  • carry out large scale processing of special categories of data or data relating to criminal convictions and offences;
  • are a public authority (except for courts acting in their judicial capacity).

For more details from the Information Commissioner’s Office, explore here: When does a Data Protection Officer need to be appointed under the GDPR?

How can we help?

It will be obvious in many cases whether you need to appoint a DPO. “Large scale” monitoring is not defined in the GDPR, but this requirement applies only to controllers whose core activities by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; most businesses should have a good sense of whether this applies to them. However, if you are unsure how the rules apply to you, or if you are considering appointing a DPO voluntarily, please contact us.

Data Subject Access Rights
You will need to respond more quickly when an individual requests access to their personal data. Individuals also have new rights regarding their data, including to have it erased, corrected, and taken elsewhere.

Take another look at your data subject access policies, processes and training to check they meet the new requirements
What are the new requirements?

Data subject access requests, which many businesses received from disgruntled employees, are changing. You will no longer be able to charge a £10 fee for responding to a request and you should normally send your response within a month (rather than the current 40 days) although there are circumstances in which you can extend the response time.

There’s good news too: where requests are clearly unnecessary or excessive, in particular because they are repetitive, you may be able to charge a fee based on the costs of providing the information, or refuse to respond.

The GDPR also introduces a number of key new rights for individuals concerning their personal data.

The new rights include rights (in certain circumstances) relating to:

  • obtaining information about data being processed about themselves
  • correction of incorrect data
  • restriction of certain processing
  • objecting to personal data being used for direct marketing
  • data portability
  • data erasure.

How can we help?

When using this Learn-o-graphic you may find some areas where you need to update your existing data protection practices. If so, our team is ready to help you enhance your arrangements so that you can meet the new regime with confidence.

Higher threshold for consent as a basis for processing employee data.
Do you rely on employees' consent to process their personal data?

Consent has always been a problematic basis for processing employees’ data because of the view of regulators in many EU countries that consent in an employment context is not freely given.

These difficulties are compounded under the GDPR because:

  • under the GDPR consent must be as easy to withdraw as to give – and you have to tell employees this. Consent becomes an inherently unreliable basis for processing and potentially offers employees a new tactic in disputes.
  • consent as a basis for processing entitles employees to other rights – such as to have their data erased. This could create real practical difficulties for employers.
  • approaches to consent may vary across the EU as this is an area where each state is allowed to take a different approach, creating difficulties for international businesses.

For all these reasons, you should look for an alternative basis for processing employee data which is legally valid under the GDPR where possible, such as the processing being necessary to perform the contract.

Don’t give up on consent altogether – for example, it may still be the most appropriate basis for processing certain sensitive personal data such as in relation to employee health issues – but always consider alternative grounds for processing where available.

How can we help?

If your employment documentation requires updating due to changes brought in by GDPR, we can identify this need via our a simple, checklist based approach, to provide you with a user-friendly structure to match data to applicable grounds for processing.

Data Breaches
More onerous obligations
New notification requirements re data breaches, including a requirement to notify data protection authorities, promptly, usually within 72 hours.
Learn more about your new obligations here

The Information Commissioner’s Office summarises the new obligations arising upon a personal data breach.

How can we help?

We will work with you to ensure your policies and processes reflect the new GDPR requirements, including with training for your employees if required.

Data Processors
Enhanced obligations
Data processors are persons who process data on behalf of an employer (other than its employees), eg outsourced payroll providers.
Do you use data processors to handle employee data?

You are going to need to ensure your terms and conditions are suitable to ensure the data processors you contract with comply with their new obligations.

How can we help?

We can provide you with the necessary drafting to cover the obligations you need to secure from your third party data processors.

International Data Transfers
Similar but enhanced, remain problematic
Main legal bases for cross-border transfers remain, subject to some changes.
Do you transfer employee data cross-border?

Transferring data outside the EU has long been a problematic and complex area. The main routes for lawful data transfers under the GDPR will be familiar to those used to dealing with data protection under the current law, although there will be some changes. There are improved routes for intragroup data transfers under the new provisions about Binding Corporate Rules, which are likely to be particularly useful in the HR context.

If your business transfers personal data outside the EU, you will need to take a fresh look at this issue to ensure such transfers remains lawful and to take advantage of the changes. This is one area where you may need specialist advice, which we can assist with.

How can we help?

If you want to know more about the new rules on intragroup cross border transfers of data, we would be delighted to assist, as well as talking through the knotty problem of transfers to third parties.

The legal complexity of overseas data transfers is not a new issue, but the landscape has shifted, so this is a good moment to get your house in order.

Print this guide