GDPR one year on: Everything HR and People teams need to know
For those living under a rock for the past year or so, the GDPR is the General Data Protection Regulation (GDPR) that came into effect in May 2018 in the European Union (EU).
It affects any individual, corporation, public authority, agency or other body that processes the personal data of individuals who are in the EU.
We blogged before the GDPR came into effect about how HR and People leaders can be GDPR prepared.
Now, over one year on, what’s happened?
How is the GDPR affecting HR and People teams?
One year on, we know that the GDPR compliance is a continuous effort, rather than a one-off task.
The preparations for getting ready for the GDPR may have been demanding, but that was just the start. It’s about ongoing compliance.
Luxemburg’s National Commission for Data Protection (CNPD) commissioner, Christophe Buschmann, explained that one of the main issues for companies has been keeping pace.
“Either you move with everyone on a continuous basis, or you just don’t get it and you stop acting and the whole world moves forward… Then it will be very hard to catch up again.”
Over the last year, the new regulations have meant significant work for HR and People teams:
- Checking processes for data protection, deletion and privacy impact assessments for employees
- Clarifying roles, responsibilities and processes around incident management, including documentation and reporting
- Making sure that there are sufficient ‘version control’ and review processes in place for HR policies, to ensure that they’re up-to-date and reflective of the GDPR
- Identifying all HR and People systems, and assessing their related risk based on existing data protection rules and standards, such as ISO27001
- Considering the personal data collected, and any necessary consent gathered, at all stages of the employee journey for your entire workforce – from candidate to employee – to ensure that these meet the requirements of the GDPR
Are fines being imposed? If so, how much could it cost our company?
According to Bank Info Security, there have been 65,000 data breaches since the regulation came into force, and a total of $63 million in GDPR fines have been imposed.
Under the regulations, companies could potentially be fined up to 4% of their annual global turnover, or €20 million (whichever is greater) for serious offences like not meeting the basic principles for processing.
This includes not having obtained any required consents or breaching an individual’s rights.
Smaller fines of 2% can be applied for failing to keep your records in order, failing to report a breach, or failing to conduct privacy impact assessments where processing is likely to result in a high risk to individuals.
Does Brexit affect the GDPR?
The UK Government has said it wishes to keep an unhindered flow of data between the UK and the EU. However, under the GDPR, data about EU data subjects cannot be processed in the UK without either a data adequacy decision (which is not yet in place and is likely to take at least a year) or additional safeguards being put in place.
There is, however, unlikely to be a GDPR impact on the flow of personal data about UK data subjects from the UK into the EU and back.
Even if the UK leaves the EU in a ‘no-deal’ scenario, UK companies will still need to continue to comply with GDPR rules and follow ICO guidance.
The UK Government have confirmed there will be no immediate change to the UK’s data protection standards.
GDPR would be brought into UK law and the ICO would remain the UK’s independent supervisory authority on data protection.
How do we make sure an individual can be forgotten if they ask to be?
The right to be forgotten is a vital part of the GDPR. Organizations need to ensure that there’s a consistent policy in place for the thorough identification and deletion of data. That includes:
- Being able to easily identify personal records and data points for every individual
- Making sure you can manually delete records on request, with additional checks in place (if needed) to ensure the correct data is being removed but that data required to meet legal obligations (such as PAYE and NI records) is retained for the statutory periods
- Holding the source of new candidate data when making new hires, and linking this with your employee data when they join, to ensure a single employee record
- Being able to provide a trail of how data’s being used and shared, for auditing and tracking purposes
- Ensuring you can provide confirmation to the individual once personal data has been deleted
What happens if we have a data breach?
Hopefully, you’ll never have a data breach but, if you do, you need to be able to act immediately – which means having a clear protocol in place should something happen.
In the EU, companies must notify the relevant supervisory authority within 72 hours of any breach coming to light.
Along with other relevant stakeholders in your organization, decide who should take the lead on investigating breaches.
You should establish who needs to be aware and what they’re expected to do in helping to rectify the breach and notifying the relevant supervisory authority in your region (in the UK’s case, the ICO).
In addition, if the personal data breach triggers high risk for the rights of the individuals affected, then the organization may have to notify these individuals of the breach within a certain timeframe.
How can I keep up to date with the latest GDPR developments?
The UK’s Information Commissioner’s Office (ICO) is continuing to issue guidance on the GDPR and what it means for organizations. It’s worth registering for updates on their website to stay up to date with the latest developments.
After more info about GDPR for HR? Download our essential eBook with everything you need to know.