What does GDPR mean for HR?
The Human Resources (HR) sector of a business is naturally affected by the European General Data Protection Regulations (GDPR), because HR handles employee data and personal data. Consequently, HR are responsible for handling this data appropriately and for ensuring employees are aware of their data rights within a business. GDPR now holds businesses accountable for their protection regulation, therefore data subjects are more protected under these new regulations and it is essential that the protection regulations are upheld, to prevent a data breach and the associated censure.
The GDPR has created specific roles to enable the protection regulations to become more transparent. For example, a business or organisation will be referred to as the data controller, the data controller decides the purpose for processing personal data. Then, the HR team will be referred to as the data processor, which is responsible for processing this personal data, on behalf of the data controller.
The GDPR states that the legal liability of a data breach is subject to both the data controller and the data processor, therefore the HR sector of a business is at risk of severe repercussions if they do not process data lawfully and fairly. To ensure compliance with the GDPR, the data processor needs to keep a record of personal data and the procedures which conducted the processing of this personal data.
The GDPR now demands that a HR team needs to be explicit about what they are processing this employee data for. Consequently, data subjects will now be aware of how their data is processed and for what reason it will be processed.
Previously, HR would achieve consent to process an employee's data through the terms and conditions of employment contracts. However, now HR are required to achieve specific consent from an employee to process their personal data. The purpose of processing this personal data is specific, therefore if an employer wants to process an employee's data for an alternative reason, then they will need to gain consent again from the employee. GDPR now means that a HR team cannot use legitimate interest as a legal premise to use employee data for related purposes. An employer needs to receive specific consent from an employee, in order to use their personal data for a specific purpose.
Explicit consent may be required if an organisation wishes to process an employee's sensitive data, such as their race, ethnicity or trade union membership. Moreover, a data subject has the right to issue a data access request to retrieve their personal data from an organisation, and subsequently a data subject can demand the destruction of their personal data from an organisation's database.
HR data and data breaches
The Information Commissioner's Office (ICO) are responsible for dealing with an organisation's breach reporting and for administering the repercussions of a data breach. If it appears that a data breach has occurred, this breach needs to be reported to the ICO within 72 hours.
The data processor, in this case the HR sector, would be found guilty of allowing a data breach to occur. The GDPR, under Article 33(2) states that the data processor must make the individual whose personal data has been compromised in a data breach aware of the situation without undue delay.
Through reporting the breach to whichever employee was affected without undue delay, and then subsequently reporting the breach to the ICO, is a demonstration of a data processor fulfilling their breach reporting role.
In June 2018, PageUp, an Australian HR firm, were found guilty of a data breach. Although PageUp are an Australian HR firm, and therefore not subject to the European GDPR, this firm's data breach still exemplifies the risks that the HR sector are subject to.
PageUp has over 2 million customers, which use the PageUp facilities to apply for jobs within organisations across 200 different countries. Therefore, PageUp hold a vast amount of personal data, which was compromised within this recent breach. Organisations, which are clients of PageUp, such as leading supermarkets, banks and governmental offices, have had to inform their employees that their personal data may have been breached. This Australian data breach exemplifies the consequences which many employees had to confront across many different countries, due to the breach.
Therefore, there is a vast amount of employee data at risk of being breached, so the HR sector need to be aware and conscientious in their protection of this employee data in order to comply to the GDPR and mitigate the risks of a data breach.