The GDPR will replace the EU’s 1995 Data Protection Directive (enacted in the UK through the 1998 Data Protection Act) and represents the biggest change in data protection legislation in over 2 decades. The new regulation aims to harmonise data protection laws across Europe, strengthening rights for individuals while increasing companies’ obligations.
The effects on HR and payroll processes will be wide-reaching, with the potential of heavy fines levied against organisations that fail to comply. While the GDPR represents a major challenge for HR professionals, careful planning and preparation will ensure a smooth transition.
Why the change?
Modern technologies have revolutionised the way we gather, process and store personal data. The changes introduced by the GDPR largely reflect today’s data-driven, digital world – a world vastly different to that in which the current legislation was written. The GDPR will unify data protection law in the EU, replacing the current ‘patchwork quilt’ of localised laws.
But wait – aren’t we leaving the EU?
The UK is set to leave the EU in March 2019, but this won’t save you from the GDPR. The UK Data Protection Bill is currently getting the rubber stamp in parliament, and as well as reflecting the provisions of the GDPR, this will also include some country-specific controls.
So what are the key changes?
- Increased scope
While the GDPR is an EU regulation, its effects will be felt worldwide. The GDPR not only applies to companies based in the European Union, but to any company that processes the personal data of EU residents. This will raise significant issues for global employers. It also means many UK companies will continue to fall under its jurisdiction post-Brexit.
- Heavier fines
Not all breaches will lead to a fine, but severe penalties will be introduced for the most serious infringements of the GDPR. A tiered penalty system will see fines of up to 4% of annual global turnover or €20 million (£14 million), whichever is higher, imposed on companies for severe violations. This represents a huge increase on the current regime.
- Stricter consent rules
Although the majority of HR personal data that is processed will not require consent as the legal basis for processing, some areas such as the initial stages of recruitment may do. Where this is the case, and for other consent-based processing, the GDPR does impose stricter rules. Gone are the days of indecipherable consent clauses, legalese and opt-outs. Instead, consent must be given freely and actively, with the terms and conditions written in a manner understandable to all.
- New employee data rights
In extending the rights of data subjects, the GDPR will provide employees with greater transparency and control over how their data is processed. This will place further obligations on employers and could potentially disrupt current HR practices. Although there is a legal requirement for the limited retention of HR and payroll records, in some cases the new ‘right to be forgotten’ will allow employees to request that their personal data be erased from company records. In addition, employees have a right of access to their personal data and to also request that it be changed or erased if it is incorrect. It is vital that HR professionals familiarise themselves with these new rights.
- Mandatory DPOs
Some organisations will be obligated to employ a Data Protection Officer (DPO) to oversee GDPR compliance. This requirement will fall on public authorities, companies that carry out regular large-scale monitoring of data subjects, and companies that process particular types of sensitive personal data. Such organisations should start the recruitment process ASAP; the sooner you get someone in place, the smoother the transition will be. And remember, these professionals will be in high demand.
- Reporting breaches
In some situations, companies will be required to report a personal data breach to the relevant supervisory authority within 72 hours of its discovery. To avoid hefty fines, HR departments should have a set procedure in place in the event of a data breach.
What can I do to prepare?
A company’s ability to adapt to the GDPR will be the difference between success and failure in the new data protection environment – so preparation is key.
From a HR perspective, there are a number of practical things you can do to get your department up to speed.
- Know where you stand
In order to get compliance-ready, you’ll need to know the extent of the personal data your company processes and how it is used. A data audit will provide a clear picture of where you stand and what you need to do in order to achieve compliance.
- Knowledge is power
From support staff to directors, all HR professionals will be affected by the coming changes. Proper GDPR training will ensure that your team is well informed, both individually and collectively. HR departments must be armed with knowledge if they are to successfully navigate the road ahead – and avoid those eye-watering fines.
- Revise, rewrite, update
The new regulation will require a number of practical changes to be made to current HR processes. Consent clauses, where used, will need to be reviewed and possibly rewritten, with consent being re-obtained. Contracts with third parties will need to go through the same process, and systems will need to be in place to cover the range of new employee rights.
- Act now
GDPR is imminent, and there is much for HR departments to do before it is implemented. While the task ahead may be daunting, effective planning and preparation will ensure your company transitions smoothly into the new data protection era. With the clock ticking, GDPR compliance should be top of the HR agenda in the coming months.
MHR now offers an exclusive GDPR Staff Awareness e-learning course designed to help organisations bring their staff up to speed with all the coming changes. The course aims to cut through the misinformation and scaremongering, giving employees a solid understanding of the issues surrounding GDPR, and the confidence to adapt to the new data security environment.
For more information on our GDPR Staff Awareness e-learning course, click here.GDPR Training Course