Life after the GDPR deadline: ‘For HR, it's certainly not that the game is over, rather that it’s just beginning.'
So, May 25th has come and gone but what happens now? What's next for HR departments on the data protection front?
Now the consent provisions have gone from contracts of employment, the staff privacy notices are in place and data protection policies amended can we relegate data protection to the bottom of our in-trays?
The answer is a resounding 'no'. Here, Olivia Sinfield, Associate Director at law firm Osborne Clarke, helps us understand the five of the key issues for HR to consider on the journey post- May 25th:
1. Keeping up with a pan-European approach
There’s a tendency to think GDPR has brought harmony and consistency to our approach to data protection issues on a pan European basis. While that was the intention, it would be wrong for us to assume that a one-size-fits-all approach can be taken to key issues such as equal opportunities monitoring, surveillance, retention periods, criminal records checks and special categories of data. The final position in most European jurisdictions is not yet clear given that most local data protection laws are yet to hit the statute books.
It’s now imperative HR departments operating across Europe take advice on local implementation and practices in order to ensure the issues above, among others, are dealt with appropriately.
2. Dealing with data breaches and banishing the blame culture
This will require a change in mind-set and HR will play a key role in this. We can no longer have a ‘head-in-the-sand’ approach to emails being sent to the wrong address or lost USB stick. These attitudes often prevail due to fear of reprisals if they are found out.
But it’s now essential employees are encouraged to disclose any potential breach and they are only going to do this if they are confident a blame culture doesn't exist. We need to think about how to educate our employees about why speedy reporting is necessary, afterall 72 hours is not long to make an assessment of the potential breach and decide whether it needs to be reported to the ICO and/or the data subject). So, consider strategies to encourage employees to openly report/disclose without fear of adverse consequences.
3. The problem of individual requests and limiting impact on daily workload
With the press focus on individual rights we expect to see a surge in data subjects asking for data to be deleted/amended/transferred and an increase in data protection rights being used as leverage in tricky situations such as a disciplinary or redundancy. 'I object' will become two words HR will hear more often.
It is now crucial that HR have an understanding of when these rights can be exercised as they are not absolute rights. They are fettered and come with limitations but these need to be understood and applied in order that a correct response can be delivered and the impact on key HR processes and business as usual limited as much as possible.
4. Policies and processes – getting your head around a long, long list
An amended data protection policy and new staff privacy notice are just the tip of the GDPR paperwork iceberg. HR teams should be thinking about the benefits of having in place risk assessments factoring in data protection issues for use before any new HR system or process is introduced.
Also, before any disciplinary or grievance investigation begins, guidance for HR teams needs to be provided on issues such as background checks and processing of special categories of data, such as health data for example.
Processes for withdrawal of consent as well as the exercising of individual rights and breach reporting, among others, need to sit behind these documents. Privacy notices need to be working and live documents need to be updated to reflect changing data practices.
5. HR ownership – this is just the beginning
But ultimately, who will take responsibility within HR for this continuous process of improvement?
Resource constraints are one of the biggest issues we've come across in the run up to May 25th. There is a need for someone within HR to ‘own’ the task of ongoing compliance and is push it forward. It's estimated that full compliance may take up to five years for many organisations - this needs to factor highly in HR business planning.
The key question we're being asked is how lenient will the authorities be and what are the consequences of being anything less than 100% compliant? What about when the spotlight shifts from Facebook and Cambridge Analytica?
This is still subject to intense speculation but recent press releases from the ICO demonstrate a carrot rather than stick approach – they want to help businesses get it right rather than trying to shame those who are getting it wrong.
This isn't to say they will be lenient with businesses who have made no efforts to comply at all, particularly larger organisations processing large amounts of data or special category data. But, they're certainly not out to slap big fines on those who are working to get it right albeit it's not all in place yet.
So, we should see May 25th not as a hard deadline but as the beginning of a new era where HR has a key role to play in ensuring and demonstrating that the business cares about employees' personal data.
Data protection considerations need to focus highly on any HR agenda and play a key part in the development of any new HR systems, processes and practises. For HR, it's certainly not that the GDPR game is over, rather that it’s just beginning.
Posted on: Tuesday 12th Jun 2018