GDPR Myth #5: HR policies and practices won’t be affected

HR Polices and Procedures book

To what extent will HR policies and procedures be affected by GDPR, which comes into force on 25 May?

With so much attention given to the marketing and IT departments when it comes to GDPR compliance, it’s easy to overlook the other parts of the business that will be impacted. HR is probably one of the most affected areas in a business, as the new rules apply to employee information as well, not just customers. GDPR is about the regulation of all personal data, and HR departments have a lot of it.

GDPR requires you to identify the lawful basis for processing data. This would normally be consent, i.e. the person agrees for their data to be processed. But GDPR complicates this when it comes to employee/ employer relationships. Under GDPR, consent has to be freely given, and not as a condition for another service, such as a job. Due to the imbalance in a relationship between the employee and the employer, it is not clear that relying on consent would hold up under GDPR. Consent can also be withdrawn at any time under GDPR, and without a fallback ready, processing activities would need to stop.

HR departments may instead prefer to rely on other conditions for processing employee data; that it is necessary under the employee’s contract or to further the company’s legitimate interest. In these cases, relying on this condition would need to be documented and communicated to the employees prior to 25 May.

Free download: VinciWorks’ HR guide to data protection

GDPR and the right to access personal data

GDPR also expands the right of access to data. Employees (along with everyone else) will generally have the right to access the personal data held on them free of charge and within one month of requesting the information. This could include job references in some circumstances, so the HR department must be ready to both respond to new requests, as well as knowing what requests it has the right to refuse.

If staff are being monitored at work, for instance through CCTV or internet usage tracking, they must be told. The monitoring must be transparent, and must balance the legitimate interests of the employer with the privacy rights of the individual. A data protection impact assessment (DPIA) should be conducted on all monitoring activities as a first step, including any biometric or genetic data that is monitored, for instance through a fingerprint scanner. Under GDPR this becomes sensitive personal data and must be treated with the same care and caution as health records.

Ensuring your HR department are GDPR compliant

Criminal record checks are also subject to change. Higher level checks, known as the standard of enhanced DBS checks in the UK will probably not be affected. GDPR requires criminal records checks to have a basis in law, and routine basic DBS checks on all employees will not be permitted without a legal justification. Nor can consent be used as justification for conducting a criminal records check.

Because GDPR increases the penalties for data breaches, it’s worth reviewing in depth how HR data is treated, stored, and accessed. IT security, encryption, rights of access and proper storage are equally important aspects that must be taken into account. Some ‘common’ practices, like emailing yourself information to work on at home, is not only beyond forbidden, but could come slapped with a major fine if it gets lost or breached. GDPR considers data breaches that affect the rights and freedoms of individuals as the most serious, which is exactly the data HR departments deal with every day.

VinciWorks’ GDPR resources page

VinciWorks’  has created a resources page that provides users with the ability to access several helpful tools, guides, micro courses and policy templates relating to GDPR compliance from one place. From a GDPR ready data protection policy to a GDPR Knowledge check, our GDPR resources page should have everything you need to prepare for GDPR day.

View GDPR resources page

This blog is the fifth in a series of GDPR Mythbusters VinciWorks will be publishing to help businesses seperate between fact and fiction. Sign up to our GDPR Mythbusters webinar.