HR & GDPR HR Checklist fr GDPR cmpliance This checklist will cver the main areas yu need t address t prepare fr the GDPR (General Data Prtectin Regulatin) which cmes int frce n May 25 th, 2018.
Peple is a web-based human resurces management system that helps prgressive HR prfessinals make better decisins, engage their wrkfrce, and deliver high-impact results that influence yur rganisatin s success. Thusands f cmpanies rely n Peple t handle essential HR tasks such as recruitment, perfrmance and hliday management. But beynd helping yu wrk mre efficiently than yu can with spreadsheets, paper files and email, Peple als helps make yur wrk mre meaningful. Built-in advice based n HR best practice shws yu a clear path fr yur HR prcesses, while heat maps, alerts and reminders supprt gd judgement calls in areas such as absence and attendance. Visual, clutter-free and easy t pick up, Peple autmates the tasks yu hate, and draws yur attentin t the areas f HR that will make the biggest difference, helping yu bst business grwth and master yur career. Yur jurney with Peple begins with a prven implementatin prcess that safely mves yur data int its new hme, and cntinues with expert supprt, every step f the way, frm a friendly team f experts. Mdern and mbile, everybdy in yur wrkfrce will find it easy t manage their wn rutine tasks frm anywhere in the wrld, and yu ll make a big impressin at every level f business frm giving frnt-line emplyees a hliday bking system that makes sense, t shwing yur bard-level directrs the impact HR has n their bttm line. Brn frm a passin fr innvatin and a desire t create smething better, Keystne was established with ne missin, t prvide clients with dedicated legal advice delivered by experienced lawyers at cmpetitive rates. The business prpsitin was twfld. Invest in technlgy, t frm a business that culd perate seamlessly, minus the added verheads ften fund in the traditinal law firm and withut the need fr a high vlume f supprt staff - all f which usually result in added expense fr the client. Appint lawyers wh cmbine in-depth legal knwledge, client empathy and an entrepreneurial spirit. Our riginal business mdel makes us an ideal chice fr cmpanies bth large and small, and ur cmmitment t building strng relatinships has resulted in many husehld names investing in us as their trusted adviser. Meanwhile, the flexible and agile ffering that we maintain enables us t cater fr a wealth f private clients. We are prud t ffer clients a 250-strng lawyer ffering acrss nine key lcatins. Our team is a carefully curated grup f individuals wh average 23 years pst-qualificatin experience. Sme have built their careers at sme f the UK s mst established firms; thers have cut their prfessinal teeth in-huse at majr multinatinals. Whatever the backgrund, ur advisers are always lyal t the Keystne culture. And at the heart f the culture is the pririty that we place n each client and their individual needs. FOR FURTHER INFORMATION RACHEL TOZER Cnsultant Slicitr Rachel is an emplyment lawyer wh advises UK and internatinal clients n all aspects f UK emplyment law frm tribunal claims, business rerganisatins and transactins t day-t-day HR advice. Rachel has c-authred a bk explaining the current data prtectin laws and best practice t emplyers and is busy helping several emplyers prepare fr GDPR. T: 020 3319 3700 E: rachel.tzer@keystnelaw.c.uk
Checklist 1. Raise awareness A recent survey has fund that a quarter f businesses in Lndn are entirely unaware f the new law and nly 16% are prepared fr it. GDPR is nt an HR issue alne. Yur business Bard f Directrs shuld be fully engaged with preparing the whle business fr this change. 2. Nminate a data prtectin fficer/privacy manager Nt all emplyers have t appint an fficial data prtectin fficer, but all businesses will need t assign respnsibility fr data prtectin cmpliance t an individual/team f apprpriate peple. If the persn respnsible fr prtecting HR data in yur cmpany isn t yu, make sure yur data prtectin fficer/privacy manager sees a cpy f this checklist. SME s (Small Medium Enterprises) might find they dn t have the resurces t allcate ne persn sufficient time t cver all f the businesses data prtectin needs. Yu might find it easier t delegate data prtectin respnsibility by department r get specialist advice n hw t manage GDPR in yur businesses, but there will need t be an verall plan. 3. Create a data lg Cnsider what data yu prcess, and create a lg demnstrating the fllwing. This will help yu t shw GDPR cmpliance and that yu practively prtect data in an easily audited manner. The type f data (e.g. persnal, r special persnal (which used t be called sensitive)) The categries f data (e.g. recruitment infrmatin, bank details, perfrmance infrmatin, absence details) Wh the data cncerns (e.g. emplyees, next f kin, applicants, etc.) Wh has prvided the data t yu (e.g. the applicant/emplyee themselves, credit reference agencies, ther emplyees) What legal basis yu have t prcess (e.g. t perfrm the emplyment cntract, cmplying with a legal requirement r legitimate interests (yu need t identify which interest yu are relying n and balance it against the
individual s rights and freedms)? Als remember that cnsent will rarely be valid in an emplyment cntext under the GDPR. What additinal legal right d yu have t prcess special data (e.g. cmplying with emplyment law r assessing the wrking capacity f an emplyee)?) The purpse f prcessing (e.g. t pay the emplyee, t reprt salary infrmatin t HMRC, t manage perfrmance) Where the data will be stred and wh has access t the data (e.g. digitally in HR sftware which nly HR can access) Data transfers: (if this is a regular ccurrence, yu may need a separate lg). Yu shuld als include any events f data being transferred, including: wh data was transferred t, when it was transferred, where they are string it, and hw yu transferred the data. whether yu are transferring any persnal data utside f the EU and if s what prtectins are in place When data will be deleted (e.g. a perid f time after an unsuccessful applicatin/after the emplyee leaves) Whether yu carry ut any autmatic decisin making r prfiling (e.g. electrnic recruitment sifting based n academic achievements, psychmetric testing) Whether yu need t carry ut a data prtectin impact assessment and when yu are likely t need t d s in the future (e.g. due t the fact that yu carry ut r will carry ut high risk prcessing r will be intrducing new technlgy) Hw yu respnd t data breaches 4. Check yur IT infrastructure allws yu t be cmpliant Yur IT infrastructure will be highly relevant t tw main themes in terms f GDPR cmpliance security and emplyees rights. Security issues: Is the IT system secure? - GDPR states data prtectin shuld be by design and default i.e. it shuld be part f prject planning frm the utset nt an afterthught. Yu shuld cnsider using a passwrd plicy fr emplyees, and/r tw-factr-authenticatin. A single sign n plicy fr yur emplyees may be useful. The relevant level f encryptin shuld be deplyed n all cmpany devices. Is all yur HR data really nly stred in HR? D managers keep their wn recrds? Hw are such recrds secured? Dn t frget abut hard cpy dcuments think abut data which is taken ut f the ffice whether t external meetings, t emplyees hmes r custmers sites. Is that necessary and if s hw will yu ensure it is kept secure? Emplyee rights:
D yur autmated decisin-making prcesses allw yu t deal with bjectins and invlve a human decisin maker if requested? Can yu easily search fr all data relating t a particular individual? This will make respnding t subject access requests much easier. Can yu restrict data s that it is merely held but nt therwise prcessed? This will be necessary in sme situatins. What prcesses d yu have fr an emplyee t exercise their right f bjectin? Hw d yu ensure that the data yu are hlding is up t date and accurate? Hw will yu achieve the deletin f persnal data, acrss the business, at an emplyee s request in relevant situatins? Can yu exprt data frm yur system?.csv,.pdf, r.txt files are regularly accepted frmats. This will allw yu t manage the prtability (i.e. transfer) f the data t the emplyee r t a future emplyer at their request. There is anther ptential imprtant questin where are the servers hused? If yu stre data n servers which are situated utside f the EU, yu are transferring data utside f the EU and need t ensure adequate prtectin is in place. 5. Update data prtectin plicies and emplyment cntracts Yu will need t update yur data prtectin plicies and infrm yur emplyees at every level f the business f any changes yu make. Yu shuld cmmunicate the changes in plain language. Five key plicies t update include: Privacy ntice t staff: this needs t tell yur emplyees the types f data which yu hld abut them, yur lawful grund fr prcessing it, the purpses fr which yu will prcess it, and their rights with respect t their data. Data prtectin plicy: this shuld set ut the business cmmitment t data prtectin and tell emplyees abut their bligatins relating t persnal data which they will prcess in their rles. This will include security measures. Data breach reprting plicy: yu shuld have a cmprehensive plan in place that fllws the ICO guidelines fr breach reprting. This needs t meet particular time frames and include all the relevant parties. Subject access plicy: ensure yu have the means t meet subject access requests in the specified time frame and are able t prvide all the relevant data. Data retentin plicy: ensure yu analyse hw lng yu need t keep data and that it is then securely destryed after the specified retentin perid. Other plicies will als need updating (e.g. disciplinary plicy) Data prtectin clauses in emplyment cntracts and individual cntractr agreements will need t be changed s that they n lnger seek t rely n cnsent as the lawful grund fr prcessing.
6. Ensure staff have the crrect training Make sure all yur emplyees receive an adequate level f training fr handling persnal data, specific t their jb rle. They must be infrmed f the crrect plicies and prcedures. Training needs t be refreshed n a regular basis and yu need t keep recrds f the training prvided. 7. Health-check relatinships with ther grup cmpanies, ther businesses, r services Check in with yur HR sftware prvider Similar t yur IT infrastructure, yu need t check if the sftware yu are using allws data access, restrictin, bjectin and prtability. If nt, yu may need t cnsider anther prvider. Befre yu d s yu will need t undertake a data prtectin impact assessment. If yu aren t using HR Sftware, yu still need t be able t ensure the same individual rights are upheld. Check in with recruiting agencies/benefit prviders/utsurced service prviders It is imprtant any ther entities with whm yu share persnal data als have stringent data prtectin plicies in place and nly prcess the persnal data which yu prvide in accrdance with yur instructins. Fr example, if yu use a recruiting agency t surce yur staff, then yu need t find a secure way f sharing applicant infrmatin. Yu shuld ensure that all cntracts with external prviders (e.g. utsurced payrll services, pensin prviders, life assurance and private medical insurance cmpanies) all cntain adequate data prtectin bligatins. Check in with grup cmpanies Parent cmpanies, where ever they are based in the wrld, ften like t receive reprts frm their subsidiaries which ften cntain persnal data. First, yu need t assess whether there is a lawful reasn t share this infrmatin. Secndly, yu need t cnsider where yur grup cmpanies are based are they utside the EU? If s yu can nly transfer persnal data if there is sufficient prtectin in place (such as the Privacy Shield with respect t US cmpanies, a Eurpean Cmmissin decisin which cnfirms that the laws f the cuntry are sufficient, r particular cntractual clauses entered int between grup cmpanies).
This checklist is fr general infrmatin purpses nly and des nt cnstitute legal r prfessinal advice. It shuld nt be used as a substitute fr legal advice relating t yur particular circumstances. Please nte that, at the date this checklist has been prepared, the Infrmatin Cmmissiner has nt yet published all f her Guidance relating t the GDPR.