HR Function

Four things HR will be responsible for after GDPR

employees and GDPR

When you try to get your head around something big like GDPR, sometimes, the more you read, the scarier it sounds. So instead of giving you the entire background on GDPR, and warning you about all of the fines and penalties, I thought it would be more helpful to simply go through a list of things HR will be responsible for when GDPR hits the shelves.

Personal data is defined by GDPR as “any information relating to an identified or identifiable natural person”. This means that all those employee records you take care of, are hot pieces of personal data – and they’re afforded protections by law.

Believe it or not, you’re probably halfway there already

As an employer, you’re already obliged to ensure your employees’ personal details are respected and properly protected. GDPR just changes some of your responsibilities, that’s all. And a good way to ease yourself into such changes, is to compare old against new. So what are you already responsible for as an employer?

The Information Commissioner’s Office (ICO) has a great page dedicated to your existing responsibilities, which you can find here. Perhaps the most useful resource on this page, is their “quick guide to the employment practices code”, which is aimed at small businesses, and outlines your responsibilities in areas such as:

  • What the data protection act means for employers
  • Recruitment and selection
  • Employment records
  • Monitoring at work
  • Employee health information
  • Worker rights

Ideally, you’ll know all this already – because you’re already doing it. But if you don’t, then familiarise yourself with the ICO’s guidelines. GDPR will feel very similar to existing legislation, albeit with a few major changes.

Let’s take a look at the areas that are most likely to affect HR.

The main areas of GDPR that will impact HR

Weightmans LLP, the areas of GDPR that will impact HR are as follows:

  1. Consent
  2. Data rights
  3. Subject access rights
  4. Breach reporting

So let’s explore each of these areas a little, to see if we can find out just how different they will be for HR once GDPR arrives.

1. Gaining consent to process employee data

When you want to do something with somebody’s personal data, you need to gain their consent. When GDPR arrives, the rules on gaining this consent will change. Previously, consent could be gained by writing in a “consent to process data” clause into a contract. But under GDPR, consent must be “freely given, specific, informed, and clearly indicated”.

The good news for HR, is that this does not necessarily apply to employee data. This is because, according to Sue Lingard of Cezanne HR, you can instead rely on an “other lawful basis” in order to process employee data. Or in other words, you are processing the data because it is a legal requirement for you to do so.

Having said this, be warned that any employee data you store or process for reasons that fall outside of your legal obligations, will still require the new, more explicit consent GDPR will introduce.

2. New rights for employees as data subjects

Employees will have more rights over what happens to their personal data. Law firm TaylorWessing breaks down all employee data rights under GDPR, into a handy six-point summary:

  1. The right to be informed. You must be clear to your employees exactly how you use their personal data
  2. The right of access. Subject Access Requests will still exist, but with different rules, under GDPR. We’ll look at this in more detail in the next section of this article.
  3. The right to data rectification. If employee data is wrong, or key data is missing, the employee may request this is corrected. This isn’t much different to existing data protection legislation.
  4. The right to be forgotten. TaylorWessing is quick to point out that this only applies to employee data under certain circumstances.
  5. The right to block or suppress personal data processing. Again, this is very similar to existing legislation.
  6. The right to data portability. This is brand new under GDPR. Employees may now obtain their personal data, and reuse it for their own purposes, across different services. This is another situational right, so won’t always apply.

As you can see, a lot of employee rights as data subjects are the same under GDPR as they are under existing DPA legislation. But there are new rights that did not exist before, and some rights have changed a little. Keep your finger on the pulse here.

3. Subject access rights

Do you remember the good old subject access request? Under the DPA legislation, data subjects had the right to request all information you held on them. And you were allowed to charge a nominal fee of £10 for your trouble.

Subject access requests are not going anywhere. Previously, you were obliged to fulfil the request within 40 days. But under GDPR, you must now fulfil requests ‘without undue delay’, and within one month. You may no longer charge a fee, either – unless requests are deemed to be excessive.

Luckily for employers, if a subject access request is particularly complex, you may extend the time it will take you to comply, according to Clare Gilroy-Scott, writing on

“This will be able to be extended by up to two additional months by informing the employee within one month of the request of the need for the extension, and the reasons why.”

4. Breach reporting

Anybody involved in the processing of personal data within your organisation, must now follow a new breach reporting process. This includes HR.

If there is a breach of any personal data, GDPR requires you to notify the Information Commissioner within 72 hours if possible. If this is not possible, you must also provide justification as to why it wasn’t possible.

A personal data breach could be anything from a lost laptop, to an email sent to the wrong address. But it’s worth noting that these kinds of mistakes won’t always be classed as a personal data breach – you only need to report a breach that is likely to result in a risk to a data subject. For example, if you lose a laptop which stores unencrypted employee records.

Are you ready for GDPR?

GDPR will arrive on 25th May 2018. If you are still burying your head in the sand, then it is time to act and prepare, before it is too late.

For more information about how GDPR will impact HR, and what we are doing at People HR to prepare for GDPR, visit our GDPR webpage here.

Using a secure HR system to manage employee data can help you comply with GDPR. Take a free trial now.