8 Aspects of GDPR Compliance: A Brief Guide for HR Functions

​With only a few weeks to go until the European Union (EU) General Data Protection Regulation (GDPR) becomes directly applicable on May 25, 2018, many organizations are entering a crucial period as they seek to upgrade their privacy and data protection standards to meet new and enhanced legal requirements.

At its core, the GDPR dramatically heightens expectations on businesses in the way that they manage, use, store, secure and otherwise process personal data. Clearly, HR and talent functions act as the custodians of significant volumes of often sensitive or confidential personal data within any organization, and must therefore take center stage as this new and demanding law bites.

It may be easy or tempting to think of the processing of employee, applicant and contractor information as having less priority than other areas of the business. However, the GDPR—and its significantly enhanced penalties (including administrative fines of up to 4 percent of an undertaking's worldwide turnover or EUR 20 million (whichever is higher)) for noncompliant organizations—does not hold these categories out as deserving of more lenient rules. Works councils and members of staff are often the source of issues raised directly with companies and also with regulators. The risk of penalties will also be enhanced by the prospect of vicarious liability for employers and this could stem from a seemingly minor data breach by an employee in the course of employment. HR functions that remain unsure how the new rules will affect their activities and obligations should act now.

To assist businesses with their HR-specific GDPR compliance programs, we have identified—at a high level—a number of key action points in the checklist below, as split between eight prominent GDPR themes.

1. Transparency

Individuals engaged by any organization (whether employees, contractors, applicants, interns or volunteers, for example) need to be provided with more detailed, granular and accessible information setting out how their personal data is used. This is commonly set out in a privacy notice and must be provided to individuals at the outset of any relationship and updated regularly.

Key compliance steps will include:

• Review/update employee and applicant-facing privacy notices to meet detailed information requirements.
  
• Implement procedures to ensure notices are provided on time, updated in line with new processing activities and version control records are kept.
  
• Consider the introduction of tailored notices for specific, or risky, processing activities, such as background checks and the provision of certain benefits.
  

2. Individual Rights

Organizations will need to be aware of enhanced individual rights of access (under a refined data subject access regime), objection and rectification, as well as new rights to data portability, restriction and erasure. HR teams must be able to recognize and deal with individual requests within strict deadlines. The following will assist with this:

• Introduce business-facing, practical guidance and training modules on recognizing and responding to individual data protection requests under the GDPR.
  
• Work with IT/tech teams to conduct system testing and ensure ability to properly respond to the exercise of each individual right at both technical and practical levels.
  
• Implement formal retention periods for particular categories of HR data and conduct data cleansing exercises in accordance with these limits.
  

3. Legality of Processing

The processing of personal data for each identified HR purpose must be justified on at least one of a number of strictly prescribed legal grounds. The days of relying on employee consent, which will be harder to justify and is unattractive given rights to withdraw consent must be honored, in the context of an employment relationship, are over. Alternative legal grounds, such as reliance on an organization's legitimate interests or contractual necessity, will be required instead. Businesses should, at a minimum:

• Audit and allocate specific GDPR-compliant legal grounds to all identified HR data processing activities and purposes, including those involving special categories of (i.e. sensitive) personal data.
  
• Document valid legal grounds within privacy notices and, where possible or required under local laws, an organization's record of processing activities.
  
• Update policy and contractual documentation, including employment contacts, to remove reference to employee consent as an applicable legal basis for processing.
  

4. Data Quality and Minimization

Businesses must be able to demonstrate "data protection by design and default" within internal systems, so that the concept of data minimization (whereby the minimum amount of data is retained for the shortest possible period) is central within HR functions. This can be achieved through a combination of technical, organizational and practical measures, such as the following:

• Introduce clear guidance and reporting frameworks to assess and approve the necessity and scope of all new or amended HR data processing initiatives.
  
• Formalize clear HR data retention limits (both internally and with vendors) and co-ordinate with IT to ensure internal implementation on a technical level.
  
• Draft business-facing guidance to ensure planned and/or current risky processing activities are identified and subject to a GDPR compliant Data Protection Impact Assessment (DPIA) (see point 8 below).
  
• Consider whether the organization needs to appoint a formal Data Protection Officer (DPO) under the GDPR, or alternatively whether the appointment of dedicated privacy specialists whose job specification is clearly not that of a GDPR DPO can be justified. As the GDPR requires that a DPO acts independently and is not dismissed or penalized for performing their tasks, it is important to understand the implications of such appointment.
  

5. Data Sharing

When HR data is shared within a corporate group (such as on an HR IT platform or in the course of carrying out specific investigations or redundancy exercises), or with external service providers (such as those offering hosting platforms, employee database management products or facilitating benefits/payroll administration) organizations will need to implement new practical and contractual arrangements with each recipient to ensure they will handle the data properly.

The following steps would be sensible, at a minimum:

• Audit intragroup flows of personal data, classify potential recipients (i.e. data controller or processor) and implement enhanced data sharing agreements in line with GDPR duties.
  
• Map personal data flows to external HR vendors, undertake a classification exercise (as immediately above) and update written service contracts to reflect new requirements.
  
• Enhance any formal onboarding process for vendors to include both privacy classification and vetting assessments (i.e. whether they can comply with their data protection obligations in practice). Schedule regular reviews.
  
• Ensure that data transfer obligations are met (see point 6 below).
  

6. Data Transfers

Whilst the GDPR does not fundamentally change requirements relating to the transfer of personal data across borders, organizations reassessing their data sharing arrangements (as above) would be sensible to use this opportunity to consider the continued adequacy of their current international transfer mechanisms, including Standard Contractual Clauses, binding corporate rules and the EU-US Privacy Shield.

HR functions should focus on:

• Mapping international flows of HR data, both internal and external, bearing in mind that merely accessing information abroad constitutes a transfer for data protection purposes.
  
• Ensuring that when personal data is transferred outside the European Economic Area, or another jurisdiction subject to an EU Commission adequacy decision, each potential recipient, whether a group entity or external third-party is covered by a valid data transfer mechanism.
  
• Implement and maintain a living database (possibly as part of a formal record of processing activity, see point 8 below) of personal data recipients and corresponding data transfer mechanisms, which can be provided to individuals on request.
  

7. Data Breaches

The GDPR raises the stakes in respect of personal data security, not least because of its significantly increased potential fines and sanctions should data breaches occur. Organizations will need to be able to quickly recognize, isolate, mitigate and respond to security incidents in line with a formal procedure, and report certain breaches to their regulator (within 72 hours) and/or individuals.

HR functions and individual business units must be aware that the term "data breach" is not limited to malicious hacking; misplaced hard-copy personnel files and erroneous e-mail recipients can be covered too. Breaches could stem from employee actions which, on the face of it, seem innocuous, for example forwarding an e-mail chain that contains personal data/sensitive data (e.g. "she is not coming to work today because her daughter has chicken pox"). In the UK, it also now appears that organizations can be vicariously liable for data breaches caused by rogue employees.

Risks can be reduced by taking the following minimum steps:

• Implement clear and well-rehearsed security/data breach procedures—in conjunction with IT teams—to ensure data breaches can be mitigated quickly, and reported within 72 hours.
  
• Ensure appropriate technical and organizational security measures cover all HR systems and functions, including need-to-know access limitations, encryption and regular training/guidance.
  
• Subject security measures to periodic testing and evaluation—much like a fire drill—to ensure an organization's ability to respond in varied scenarios.
  
• Put staff on notice that any breach (whether electronic or physical) must be reported immediately, ensuring that disciplinary policies are updated to make clear that responsibility for, or failing to report, any security incident may be considered a disciplinary offense.
  
• Review restrictive covenants, as well as confidentiality and IP provisions within employment contracts and consultancy agreements.
  

8. Accountability

Passive compliance with the GDPR is not possible. Instead, all business functions—including HR—will now need to demonstrate compliance with their data protection obligations. Organizations should work towards this requirement by: (i) introducing detailed data protection policies and training; (ii) subjecting internal controls to regular audit and review; and (iii) maintaining a comprehensive, up-to-date record of all processing activities.

With this in mind, businesses should:

• Produce and maintain a comprehensive record of processing activity in line with GDPR requirements, which can be provided to data protection authorities on request.
  
• Implement and/or update employee-facing policies and training, including IT and disciplinary procedures, addressing all key areas discussed above.
  
• Subject internal procedures and controls to regular review and testing, ensuring that results and remedial measures are properly documented.
  
• Consider undertaking DPIAs where processing appears risky, such as employee monitoring and background checks.
  

This document is intended as an illustrative overview only, will not be appropriate for all organizations and is not intended to be a substitute for specific legal advice.

Please also note that under the GDPR, individual EU member states are entitled to introduce more detailed and restrictive local laws with respect to the processing of personal data within the employment context. Compliance programs will need to take any local variations into account, as applicable to their countries of operation.

Tom Mintern and Sam Rayner are attorneys with Bird & Bird in London. © 2018 Bird & Bird. All rights reserved. Reposted with permission of Lexology.