We have a little more than two months until the EU finally introduces GDPR, and businesses in the UK are no exception. Even if the UK leaves the EU next year, the government indicated last August that they intended to pass a new Data Protection Bill to protect privacy, and GDPR applies to any business that uses the data of EU nationals. There is no point for companies to apply one data standard for those in the EU and another standard for everyone else, so it would not be surprising for GDPR to eventually become the de facto global standard for data protection.
But while most businesses may be thinking about how to protect consumer data, HR departments have to think about how to change data standards for HR and employee data. The penalties for noncompliance are severe, as the GDPR states that fines can reach “up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher.” If your business has even one EU national working in the UK, you have to ensure that the proper data procedures are followed. Here are some of the most important things to look out for.
Consent Matters
The GDPR takes consent extremely seriously, and is clearly intent on preventing employers from having access to employee data whenever and for whatever purpose they please. Consent must be specific and informed. Businesses must tell employees what they need data for, and can only hold onto said data long enough to accomplish specific tasks. If HR collected data for purpose X, but now wish to use the same data for purpose Y, the employee must consent again.
And by granting consent, employees gain new rights over said data. They have the right to access and know exactly what data you have on them, to request that you correct or delete inaccurate data, and can request that data be deleted. The most important thing is that consent can be withdrawn at any time.
This means several things. First, HR must inform employees about all of these rights – and I mean really inform them, not write it down in tiny letters in page 73 of the employee handbook. Second, HR departments will have to make sure that stored data is organized so it can be easily accessible and editable. Third, HR may have to get to work revising all old employment contracts, as the consent clauses often used before will no longer be allowed.
Data Breaches
Data breaches are ugly things, and some companies try to delay announcing or even cover up such events. This is bad policy to begin with. Security Intelligence points out that being upfront and not trying to sugarcoat a breach can regain customer loyalty, especially if you show that you are making efforts to prevent it from happening again.
But now Article 33 of the GDPR states that “In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent.” In layman’s terms, this means that businesses must notify anyone affected by the breach within 72 hours of the breach. For HR departments, this applies to employee data.
Because businesses must inform employees quickly, they have to set up a data breach response plan so they can show that they are taking active measures to limit the breach’s effects. Set a contingency plan detailing what HR is supposed to if there is a breach, who is responsible, and what has to be done. GDPR mandates that businesses which control data on a large scale must appoint a “data protection officer” who should be a cybersecurity expert. Work with that individual as well as the rest of the company so that your company actually can inform employees within 72 hours.
Country by Country
A supposed benefit of the GDPR is that it simplifies data privacy rules. Rather than having to figure out how to adhere to different data privacy laws in France, Germany, and Poland, there will now be one single law which applies to all companies doing business in the EU. This is simlar to how federal laws work in the US where an Atlanta pedestrian accident lawyer follows the same legal code as one in California.
However, this is not completely true. GDPR will make data privacy rules in Europe more uniform, but there will still be differences from country to country. The GDPR is not so much a uniform standard as it is a minimum benchmark, and some countries (Germany in particular) have or will enact even more stringent data protection requirements.
This is particularly important for UK businesses in the long run. The UK and the EU may have the same data protection policies for now. But when Brexit happens and the two take separate paths, will that continue to be the case?
This is one example of how even if your HR department is prepared for GDPR, you cannot rest on your heels. Ensuring that your company adheres to your employees’ proper data protection standards will be an ongoing process as governments try to catch up with technology.