Keeping your HR department GDPR compliant
Surely, everyone in the UK—probably everyone in the whole world—has watched a lion hunt on the TV?
Surely, everyone in the UK—probably everyone in the whole world—has watched a lion hunt on the TV? Look! There’s the herd getting on with herd business, like scratching their friend’s neck, eating grass, and swatting flies. There’s the lioness and her prowling pride, slowly closing in. The threat is real. But the herd is lost in the daily grind—too preoccupied to take much notice. And the lioness hasn’t decided exactly what to…. and boom! She bursts forth! The herd explodes! All is chaos and madness and mayhem and speed and drama…
Now, instead of a herd of zebra, envisage millions of businesspeople. And instead of a lioness, imagine four little letters—GDPR. Aaaaand that’s a
completely fairly accurate portrait of the online business world between 2016, when the General Data Protection Regulation was adopted, and 2018, when it came into effect.
Of course, there were more laptops and lattes, than Serengeti wildernesses and watering holes. And we got millions of alarming blog posts instead of David Attenborough’s authoritative yet comforting voiceover… but you get the idea. It was wild!
Things have changed a lot since then. For starters, most people have realised that the GDPR is more ‘good cop’—there to protect and serve—than bloodthirsty lioness—there to eat everyone who can’t keep up. And, of course, by 1st January 2021 the United Kingdom had formally exited the European Union and no longer had to conform with the GDPR (EU) at all.
What the GDPR do we do now?
The good news—or the bad news, depending on your point of view—is that the UK decided to stick with the GDPR, now called the UK GDPR, which is now part of the Data Protection Act 2018 (DPA). As with its EU counterpart the UK GDPR governs data protection in the UK, how organisations gather, store, and use data, and how individuals can exercise their increasing rights of control over their own personal data. And that includes all the people in your organisation.
Combining both ethical and legal concerns, data protection laws impact most HR processes, from recruitment, and record keeping, to performance monitoring, and compensation. So, it’s not something that organisations can brush aside or improvise. Data must be managed responsibly, while legal principles and developments must be upheld. And we’re not going to downplay it—developments in data protection can feel overwhelming.
But don’t start carving out the ‘Abandon Hope All Ye Who Enter Here’ signs just yet. We’ve put together a
fun practical guide for all things GDPR.
The anatomy of UK data protection
UK data protection laws are made up of several central bodies, terms, regulations, and rights. It’s best that any HR manager has a basic understanding of the main elements, so we’ll take a quick look at them now.
The Information Commissioner’s Office (ICO)
The ICO is an independent body charged with the promotion and enforcement of data protection legislation. And that includes issuing fines like the £20 million data breach fine issued to British Airways (reduced from an original £183 million), after a cyber-attack compromised the personal and financial data of over 400,000 customers. While the ICOs limits are yet to be tested, you can rest easy that fines are proportionate to turnover and the level of data loss—data-driven business models be warned. So, although not many of us are likely to find a £20 million bill on our doormat, fines can be up to 4% of total annual worldwide turnover for the most serious failures.
The General Data Protection Regulation (GDPR)
The GDPR is largely concerned with individuals’ rights to access information about their own data, as well as data management obligations, and fines for misuse.
The Data Protection Act 2018 (DPA)
Together, the DPA and GDPR dictate the obligations of data controllers (those who decide how and why personal data is processed) and the rights of data subjects (those whose data is held or processed). In the context of HR, the employer would usually be the data controller, while workers, employees, past employees, and applicants would be data subjects.
According to the principles of the DPA, data controllers must make sure collected and stored information is:
- used fairly, lawfully, and transparently
- used for specified, explicit purposes
- used in a way that is adequate, relevant, and limited to only what is necessary
- accurate and, where necessary, kept up to date
- kept for no longer than is necessary
- handled in a way that ensures proper security, including protection against unlawful or unauthorised processing, access, loss, destruction, or damage
Personal versus sensitive data
Personal data relates to personally identifiable information like name and location. Almost all HR records including absence records, performance tracking, and recruitment files can be classed as personal data.
Sensitive data relates to data that could lead to discriminatory behaviours, reveals protected characteristics, or is singularly personally identifiable. This includes information on race, ethnic background, political opinions, religious beliefs, trade union membership, genetics, identifying biometrics, health, sex life or orientation, and criminal records. While there are stronger legal protections for sensitive data, it can be processed if necessary. For example, criminal records must be accessed for work with children or vulnerable adults. Or fits notes can be collected to prove genuine illness. Even diversity information can be collected if it is in the interest of social security and social protection law. However, any reasons must be fair, lawful, transparent, accurate, and properly recorded.
All individuals, including employees or anyone who has worked, is working, or has applied to work for an organisation, has the right to find out what information that organisation holds about them.
That includes the right to:
- be informed about how their data is being used
- access personal data
- have incorrect data updated
- have data erased
- stop or restrict the processing of their data
- data portability (allowing them to get and reuse their data elsewhere)
- object to how their data is processed in certain circumstances
These rights extend to data used for:
- automated decision-making processes
- profiling (data used to predict behaviours or interests)
HR teams are most likely to be impacted by data protection rights in the form of Data Subject Access Requests (DSARs). These can be either oral or written requests and can relate to general (all) or specific data. In increasingly intertwined workplaces, where one employee document can reference other employees, or performance data for one can reveal performance data for another, it is important that DSARs are handled with great care. Getting it wrong can lead to a data breach.
Data protection in action
Now you have an idea of what data protection laws look like in 2022, you’re probably wondering how they affect you and your organisation. Let’s look at some examples.
Thanks to an adequacy decision made by the European Commission in June 2021 relating to the GDPR, “personal data can now flow freely from the European Union to the United Kingdom where it benefits from an essentially equivalent level of protection to that guaranteed under EU law”. Although limited by a 4 year ‘sunset clause’, at which time it will be reviewed, the decision means that organisations that have operations in the EU as well as the UK can breathe a temporary sigh of relief. And we’re not just talking about people or business activities. If a UK based organisation uses a cloud storage provider based in, for example, Germany, then data will need to flow freely between those two points. So, by 2025 we may all have to start thinking about where our cloud providers are based, and not just the security, privacy, and contents of the data.
Like cookies and Ts&Cs, privacy policies are an ever-present aspect of online life. And they need to be high on every HR professional’s agenda too. Policies must be transparent, comprehensive, easily accessible for employees and other workers, and up to date. And any changes in data management policies must be communicated organisation wide. The best way to do this is by circulating a privacy notice—here’s a handy template provided by the Ministry of Justice.
Internet, social media, communications, and remote working policies
Providing staff with smart phones, laptops, tablets, and flexible working options is increasingly common and even expected. But spreading workforces and company assets beyond the four walls of HQ comes with its own data protection implications. Robust policies should cover cybersecurity, permitted uses for all devices and communication channels, and unobtrusive monitoring measures such as tracking traffic data.
Accountability requirements should be met by training, auditing, and comprehensive documenting of data processing activities, while consistently reviewing HR policies. For example, people must be able to recognise and avoid potential attacks like phishing and organisational data should be encrypted.
Data protection officers (DPOs)
Although a governance update on the 23rd of June 2022 included proposals to replace requirements to appoint a DPO with an obligation to appoint a senior person who is responsible for data privacy management, it’s still important to hire a DPO if your organisation meets certain criteria. For example, if you’re a public authority or body, or work closely with public authorities or bodies, or perform large-scale monitoring or data processing.
Third-party data transfers
Just because you’re not selling employee data, doesn’t mean that you’re not sharing it. If you send data through third-party software integrations such as payroll software or HR software, or use external organisations like recruitment agencies, solicitors, or accountancy firms, you need to make sure that they’re compliant too.
Data security obligations depend on the size of your organisation, the nature of the data being processed, and the potential harm that could result from a data breach. But risk assessments, up-to-date security systems and software, strict access restrictions, training, and security monitoring should be part of every organisation’s data security practices.
Record keeping and correction
If your organisation has over 250 employees, then clear, accessible records of all data processing activities must be kept. Smaller organisations only need to keep records for data that they process regularly, such as payroll data, as well as sensitive, potentially harmful, or intrusive data.
A GDPR action plan
The TL;DR action plan is that every organisation—no matter what size—should audit information systems to find out where data is held and why; issue policies and guidelines regulating data management; ensure the security of all stored data; consider and properly manage international data transfer; keep on top of automated decision-making processes; and review and monitor policies, practices, and training on an ongoing and systematic basis.
And that’s it. Phew! A comprehensive post-Brexit guide to UK GDPR.
But if you’re still feeling a bit like an outlying Zebra with the lions closing in, then all is not lost, there’s a reliable, hassle-free short cut that can save your hide—HR Software.
HR software and GDPR compliance
76% of HR professionals have admitted that GDPR requirements have added a significant burden to their HR department. And with increasing numbers of DSARs, data-mapping requirements, data deletion and anonymisation requests, post-Brexit and post-pandemic considerations and regulations, and the ever-changing needs of an evolving workforce, the administrative burden is growing. But it doesn’t have to. With the support of a good HR software, effectively managing GDRP compliance can be easy.
SenseHR GDPR-compliant software comes with lots of features to help your organisation stay ahead of legislative requirements.
- Secure: Cloud computing, data encryption, IS027001 certification, multifactor authentication, and ongoing penetration testing mean that your data is safe with SenseHR
- Employee access: Secure Self-service means that all your people can check and update their own information at any time, as well as access updates and training
- Automated data retention and deletion: Configure your system to delete, anonymise, and retain data according to your rules
- Portability: Easy data import and export to help with data portability requirements
- A single data source: No more searching. Keep all your data, documents, policies, and training materials in one place
- Secure third-party integrations: Keep track of all your data transfers
- Unlimited document storage: Never run out of secure storage space for your organisational documents
- E-signatures: Inbuilt document generation and real, on-document, e-signatures mean that you can track and secure the most vital business documents, throughout their lifecycle, without ever leaving the safety of your software
- GDPR for everyone: SenseHRs ground-breaking databases and innovative workflows mean that your people data is protected no matter where your people are working or how
When it comes down to it, GDPR is all about empowering and caring for your workforce. And if it’s done right it can help with employee retention and engagement—it’s not just about protecting your organisation from the lions. And the best and easiest way to do it right is with our next generation HR software.