A Collection is a selection of features, articles, comments and opinions on any given theme or topic. It allows you to stay up‑to‑date with what interests you most.
Login here to access your saved articles and followed authors.
We have sent you an email so you can reset your password.
Sorry, we had a problem.
Tags related to this article
Published 18 May 2018
After a two year countdown the implementation date for the General Data Protection Regulation (GDPR) (25 May 2018) is looming. Many organisations, particularly those which process large volumes of consumer data, will have been grappling with the challenges for months and reaching the final stages of their actions plans. For others, the next few weeks is likely to involve a period of intense activity to ensure that the organisation can demonstrate it is compliant with the new regime by the implementation date.
Carrying out an audit of how the personal data of job applicants, employees and contractors is processedRemoving consent clauses from employment contractsUpdating data privacy noticesReviewing the contract terms with third parties such as payroll or benefits providers.
Whatever the state of compliance, the following top tips will be of relevance to all employers:
In a perfect world all employers will have implemented their GDPR action plan comfortably before 25 May 2018 to coincide with the date when the new obligations technically take effect. The reality is that for many employers this will be a work in progress, extending beyond the deadline. This should not cause undue concern: it is highly unlikely that the Information Commissioner's Office (ICO) will be interested in using its resources to pursue employers who are actively engaging with their GDPR obligations and taking steps to ensure that they are compliant. In this regard it is notable that the new Data Protection Bill (which implements the GDPR into UK legislation) is still making its way through parliament, and the ICO itself has not updated its Employment Practices Code to address changes under the GDPR (and it is unlikely to do so before the summer).
All of the HR housekeeping steps outlined above are clearly important. However, where time or resource is limited, organisations would be well advised to focus on the key risk areas where enforcement action is more likely in the event of a breach. In terms of HR data processing, this includes the issue of data security and taking steps to understand and address any areas of vulnerability in relation to the disclosure or transmission of employee data (particularly information employees would regard as sensitive such as bank account details or home addresses). The recent case involving the data security breach at Morrisons Supermarket demonstrates how employers will remain liable for the actions for rogue employees. Another area of focus is getting prepared to respond to individuals exercising their new and enhanced rights under the GDPR. A key change is the reduction in the period for responding to a data subject access request from 40 days to one month, and the need to provide the data subject with additional information when delivering the response. The ICO is likely to follow up with employers who have not modified their processes to respond to these requests within the relevant timescales, potentially leading to further enquiries about the state of their GDPR compliance.
An overarching objective of the GDPR is to move data protection higher up the priority list so that it is treated akin to other regulatory obligations. With this in mind, employers should be prepared to keep their processes and approach under review. As noted above, the ICO is yet to publish its views on how the GDPR impacts the processing of HR data in the form of an updated Employment Practices Code. Inevitably there will also be legal challenges before the courts on the interpretation of the many grey areas under GDPR and organisations will need to amend their processes as our understanding of the obligations evolves.
Ultimately the GDPR marks a steep change in how employers deal with their processing of HR data and compliance will be an ongoing exercise which extends far beyond 25 May 2018.
London - Walbrook
+44 (0)20 7894 6583
Shehana Cameron Perera, Lorraine Ekong, Jade Kowalski, Rhiannon Webster, Ceri Fuller, Khurram Shamsee, Christopher Air, Sophie Devlin
Aleksandar Dimitrov, Neal Pal
Rhiannon Webster, Charlie Christie
Hans Allnutt, Mark Anderson, Gregory Bautista, Anjali Das, Kieran Doyle, Bastian Finkel
Hans Allnutt, Rhiannon Webster
Hans Allnutt, Patrick Hill, Laura Stewart, Lorraine Ekong
Lorraine Ekong, Hans Allnutt
Hans Allnutt, Camilla Elliot
Hans Allnutt, Patrick Hill
Hans Allnutt, Rhiannon Webster, Patrick Hill