IAPP CIPT – Lawful Processing of HR Data, Contracts & Recruiting Part 3

9. DPOs and DPIAs from HR perspective

Hi, guys. Let’s discuss about DPOs and data protection impact assessments. Again, DPOs are arguably a Franco German concept and something that German employers are probably more familiar with than their European Union counterparts. Under the GDPR, DPOs must be appointed by employers who are a public authority, except for courts acting in their judicial capacity, who carry out large scale systematic monitoring of individuals for example, online behavior tracking, or who carry out large scale processing of special categories of data or data relating to criminal convictions and offenses.

The DPO role can be observed strict sterile providers, but the underlying obligation is that the responsible individual must have expert knowledge of both data protection regulation and requirements, and of the practices and processes of the employer itself. This should be proportionate to the type of processing the employer carries out, taking into consideration the level of protection the personal data requires.

Employers must ensure that DPOs report to the highest management level ordinarily that should be the board level. They should be aware that adequate resources are provided to enable DPOs to meet their GDPR obligations and DPOs operate independently and cannot be dismissed or penalized for performing their tasks. DPOs will have specific rights and protections, the power to insist on company resources for data protection matters, the right to access the employer data processing personnel and also the operations and express protection against dismissal or penalty for carrying out their duties. The last point is probably the most uncomfortable for employers creating a protected class of employee and one that US.

Parent companies in particular are likely to find difficult to understand. There will be no limit on the tenor of the DPO role, which again is likely to cause raised eyebrows among some European Union employers. Employers should note that any organization is able to appoint a DPO, regardless of whether or not the GDPR requires the DPO to be appointed. Employers must ensure that they have sufficient staff and skills to discharge their obligations under the GDPR. Let’s talk about data protection privacy impact assessments. These can help organizations identify the most effective way to comply with their data protection obligations and meet individuals expectations of privacy.

Employers will be required to carry out the personal impact assessments if their proposed activities are likely to result in a high risk to the rights and freedoms of individuals. This will affect various aspects of HR activity, particularly in the recruitment and post employment arenas. It is easy to see how vetting and assessment activities in recruitment, for example, will trigger a personal impact assessment.

10. Data Breaches & what to take away from that

Hi guys. Let’s discuss about data breaches and what to take away from that. Regarding data breaches, there are some positive actions that are most trivial for all the breaches. Employers will need to inform the relevant regulator of a personal data breach within 72 hours of becoming aware of the bridge unless they are able to demonstrate that the breach is unlikely to result in risk to the individual’s rights and freedoms. While health reporting has always been an option for employers to mitigate the risk of enforcement action, this has now become an obligation on employers for arguably all but the most trivial of breaches. In tandem, the ICO and other national regulators will also have increased investigations and audit powers and rights to require information and access to premises. The reason to care penalties Currently, fines under national member states law really vary under the GDPR.

However, fines will be significantly increased across the European Union and will be divided on a two tier basis as follows up to 2% of annual worldwide turnover of the preceding financial year, or €10 million, whichever is greater for violations relating to internal record keeping, data processor contracts, data security and data breach notification, data protection officers and data protection by design and default, and up to 4% of annual worldwide turnover of the preceding financial year, or €20 million, whichever is greater, for violations relating to breaches of the data protection principles, conditions for consent, data subject rights and international data transfers.

In short, employers who previously regarded non compliance with European Union Data Protection law as a low risk issue will be forced to reevaluate their position. Multinational employers also need to closely monitor developments in other member states, such as Germany, where lawmakers have already stated their intention to make use of the GDPR delegations for employee data protection. Some member states may raise the bar for local HR operations in certain areas. Example lower thresholds for appointing Nepos and determining specific conditions for processing of a national identification number. What to take away from that?

Well, employers need to take notice of the ways in which they process employee data, the purposes for which they process employee data, and the processes and procedures in place in their organization for the collecting, transferring and storing employee data. The UK’s ICO has taken a pragmatic approach to enforcement and is unlikely to change that. Maximum fines are likely to be imposed only as a last resort. However, other regulators may also have a say in enforcement against UK businesses, for example, where it is primarily their own citizens who are impacted, and this means the decision may not be the ICOs alone.

In order to tackle these requirements and best protect the business, I recommend the following steps review current data protection policies and practices allocate appropriate resources to deal with the enhanced compliance burden that review employee data flows use of employee data and ways in which data is processed and stored, put in place, updated or new internal data protection policies, staff training, internal audits processing activities and audits of processing activities and reviews of internal HR policies. Then assess business needs and identify employees who will require early training on the new reforms, with a view to rolling out revised data protection training for all employees nearer to the date of implementation. Where appropriate, appoint a data protection officer or DPO and or nominate an individual or officer to oversee compliance with the reforms. Implement measures that meet the principles of data protection by design and data protection by default. Use personal impact assessments where appropriate. Appropriate and the last one review and implement policies for reporting future data breaches, which should tie in with whistleblowing.

11. Action Steps from HR perspective

Hi, guys. Many HR professionals are starting to consider the practical impact of the GDPR on HR procedures, policies, and other documentation. While certain employers may have already started to consider what changes will be required, my experience is that there is still some uncertainty about how HR documentation should be amended or indeed drafted for the first time. How does an employer know where to start? The answer to this question will largely depend on the results of any HR data audit that the employer has already carried out. Without this information, it is very difficult to assess whether the HR related procedures and documentation which are currently in place will be compliant under the GDPR. However, it is highly likely that one of the first remedial steps will be to consider the lawful basis upon which HR data will be processed under the GDPR.

As this information will be a key component of a number of employment related documents, most employers currently rely on consent as the lawful ground upon which they process data. Whilst this will remain a lawful ground for processing data under the GDPR, where consent is used, it will be subject to much stricter thresholds, and we already discussed about that in the previous lessons. Further, it is important that it should be as easy for an individual to withdraw their consent as it was to provide it in the first place. In light of these strict requirements, it will be very difficult to establish that an employee’s consent is generally freely given in the context of the employment relationship due to the unequal bargaining power of the parties and the employees genuine ability to refuse to give consent. There may well be very specific one of circumstances where consent can be relied upon in this context, but employers should consider it as a last result.

As such, employers will need to consider which of the other lawful grounds for processing data may be relevant to its processing of HR data. In the context of handling employee data, it may very well be the case that the processing activity will be necessary for the performance of a contract. For example, it will be necessary to process an employee data to pay that employee under the employment contract, or because the processing is necessary for, let’s say, compliance with a legal obligation.

For example, certain data will need to be processed to make Social Security payments, such as statutory sick pay or maternity pay. Alternatively, where an appropriate assessment is carried out by the employer, there may also be scope to rely on the ground that the processing activity is necessary for the purposes of legitimate interest portion by the business. For example, employers need next of kin contact details in case of an emergency. Will employment contracts need to be amended? Many employers currently rely on blanket consent clauses which are contained within the employment contract.

In light of the changed requirements for consent to be valid, it is likely that any such consent provisions will need no longer be valid and should be removed from the employment contracts. Notwithstanding the above, my recommendation is that it will still be sensible for employers to include a revised data protection clause in their contracts. Amongst other things, this will serve as a notification to employees that they must comply with the company’s policies in relation to data protection whenever they are handling personal data in their work. The contract should also notify the employees that full details about the data that the company is processing and this data is about them is contained in a separate privacy notice.

12. HR related policies and procedures

As part of an employer’s ongoing GDPR compliance program, it is recommended that the following policies and procedures are developed and implemented first. Data Retention and Disposal Policy a core principle of GDPR is that data should not be retained for longer than is reasonable necessary to enable the processing for which that data was obtained to take place. For example, this is called storage limitation. Employers will therefore need to be able to demonstrate that data is retained for an appropriate period.

A key way to demonstrate that thought has been given to this matter is to develop a policy that provides guidelines in relation to appropriate retention periods for certain HR documents. This will likely include details about the measures that the employer is taking to ensure the security of that data, both during the period whilst it is retained and in relation to the manner in which it is disposed. Then subject Access Requests certain rules relating to SARS will be changing under the GDPR.

The changes should be documented in a revised policy so that those involved in handling such requests are aware of the new rules, including revised time periods for responding to SARS, the increased information that must be provided to employees making a SAR, the extent of the search, and the new provisions related to payment of fees. Beyond ensuring that the new SAR procedure complies with the text of the GDPR, any new procedure is likely to include at least one meeting with the person making the SAR to clarify the scope of the SAR and discuss relevant arrangements for responding. The policy is also likely to reserve the employer’s right in appropriate circumstances, only to extend the deadline for responding to a SAR subject access request and potentially charging a fee or not responding to a SAR at all. Then you have personal data breach, notification and response plan.

The GDPR will mean new mandatory data bridge reporting obligations are set out, and you can find that in our full GDPR compliance course. Employers will need an appropriate procedure in place to ensure that personal data breaches are handled consistently and correctly across the organization and that staff know what to do should they become aware of such a breach. And in the end, you have the Legitimate Interest Policy as outlined above, one of the potentially lawful grounds for processing personal data arises where the processing is necessary for the purposes of the legitimate interest of this employer. When relying on this ground, employers should have a clear and documented process in place for assessing whether in any particular circumstance it can validly rely on this ground.

Accordingly, to policy which sets out some typical legitimate interests of the employer is highly, highly recommended. This will also detail the process that the employer will follow to ensure, in relation to any new processing activities that any such legitimate interests do not override by the rights and freedoms of the employee. The documentation aspect of this is essential to comply with the new GDPR principle of accountability. That means being able to prove compliance if called upon by the ICO. Besides the letter, you will find all these templates either in this course or the ones dedicated to full GDPR compliance and incident response for GDPR.

• Category: Uncategorized