Practical Tips on GDPR for HR

This is an article about the four letters in GDPR – the General Data Protection Regulation.  GDPR has a direct effect across all EU member states however, it gives member states limited opportunities to make provisions for how it applies in their country. The Irish Data Protection Act 2018 outlines these details.

Notably, there have been more than 1,100 reports of data breaches involving personal information made to the Data Protection Commission since GDPR came into effect.

The 1,184 reports, which compare to an average of 230 per month in 2017, would appear to reflect stricter reporting rules which came in under GDPR.

Now that we have had a few months for the new Act to bed in, let’s take a look at some key issues under the four most hated letters in the English language: G D P & R…

G – General but genius tips on dealing with data responsibilities in your HR department.

D – Data – What data is protected and what to do when an employee asks for references about them in their personnel file or wants an investigation report to be expunged.

P – Protection of personal data – how to encrypt HR data, protocols for mobile devices and practical advice for staff when working from home.

R - Regulation and compliance – how to build data protection into your HR meetings, training and decision-making processes.

G – General but genius tips on dealing with data responsibilities in your HR department.

1. Know Your Data

It is crucial to delineate what information you hold on your employees. HR practitioners manage endless amounts of employee data. Some of this will fall into what was previously classed as sensitive data and is now classed as ‘special category’ data. It is important to understand what data you are capturing within your organisation, more specifically, how it is processed, what you do with it, and who you share it with. This can be achieved by carrying out an audit or data flow analysis exercise.

And of course, you must have a valid lawful basis in order to process personal data. There are six available lawful bases for processing. No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the individual. Most lawful bases require that processing is ‘necessary’. If you can reasonably achieve the same purpose without the processing, you won’t have a lawful basis.

It is also important to note that if you outsource any of your HR functions, GDPR gives processors responsibilities and liabilities in their own right, and processors, as well as controllers, may now be liable to pay damages or be subject to fines or other penalties. It is crucial to have a contract in place and that both parties understand their responsibilities and liabilities.

You must determine your lawful basis before you begin processing. You should document it and you should take care to get it right the first time, as it will be much harder to swap between lawful bases at will if you find that your original basis was invalid.

The GDPR brings in new accountability and transparency requirements. You should, therefore, make sure you clearly document your lawful basis so that you can demonstrate your compliance in line with Articles 5(2) and 24.

Your privacy notice should include your lawful basis for processing as well as the purposes of the processing.

The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:          

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

Special Category: Special category data is personal data that is more sensitive, and so needs more protection, for example, information relating to data subjects disability, ethnicity, religion or health. In order to lawfully process special category data, you must identify both a lawful basis under Article 6 and a separate condition for processing special category data under Article 9. These do not have to be linked.

It is important to ask:

• Why are you holding it?
• How did you obtain it?
• Why it was originally gathered?
• How long will you retain it?
• How secure is it, both in terms of encryption and accessibility?
• Do you ever share it with third parties and on what basis might you do so?

2. Know How and When to Report a Data Breach

You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.

The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach, where feasible.

If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay.

You should ensure you have robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making about whether or not you need to notify the relevant supervisory authority, the DPC, and the affected individuals.

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data required to notify.

When reporting a breach, the GDPR says you must provide a description of the nature of the personal data breach including, where possible:

• the categories and approximate number of individuals concerned; and
• the categories and approximate number of personal data records concerned;
• the name and contact details of the data protection officer (if your organisation has one) or another contact point where more information can be obtained;
• a description of the likely consequences of the personal data breach; and
• a description of the measures taken or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.

3. Understand the Increased Rights of Individuals

You have a range of rights when a person or organisation takes and records your personal details. Please read this section carefully to make sure that you are aware of your rights.

Right to have your details used in line with data protection regulations

A data controller who holds information about you must:

• get and use the information fairly;
• keep it for only one or more clearly stated and lawful purposes;
• use and make known this information only in ways that are in keeping with these purposes;
• keep the information safe;
• make sure that the information is factually correct, complete and up-to-date;
• make sure that there is enough information – but not too much - and that it is relevant;
• keep the information for no longer than is needed for the reason stated; and
• give you a copy of your personal information when you ask for it.

Right to information about your personal details

Data controllers who obtain your personal information must give you:

• the name of the organisation or person collecting the information or for whom they are collecting the information;
• the reason why they want your details; and
• any other information that you may need to make sure that they are handling your details fairly – for example, the details of other organisations or people to whom they may give your personal details.

If an organisation or individual gets your personal details from someone else and not directly from you, they must tell you which details they hold and give you the name of the original data controller.

Right to access your personal details

You can ask for a copy of all your personal details by writing to any organisation or person holding these details on a computer or in manual form. See the section below on 'How to request access to your details'.

You can also ask the data controller to inform you of any opinions given about you, unless the data controller considers that the opinions are confidential. Even in such cases, your right to such information will usually be greater than the right of the person who gave this opinion in private. This right does not apply, however, in a small number of cases where it could harm certain interests – for example when someone is investigating an offence.

You should also be informed of, and given the chance to object to, any decisions about you that are automatically generated by a computer without any human involvement.

Right to know if your personal details are being held

If you think that an organisation or individual may be holding some of your personal details, you can ask them to confirm this within 21 days. If they do have personal details about you, they must tell you which details they hold and the reason why they are holding this information. You can ask for this information free of charge.

Right to change or remove your details

If you discover that a data controller has details about you that are not factually correct, you can ask them to change or, in some cases, remove these details.

Similarly, if you feel that the organisation or person does not have a valid reason for holding your personal details or that they have taken these details in an unfair way, you can ask them to change or remove these details.

In both cases, you can write to the organisation or person, explaining your concerns or outlining which details are incorrect. Within 40 days, the organisation must do as you ask or explain why they will not do so.

Right to prevent use of your personal details

You can also ask a data controller not to use your personal details for purposes other than their main purpose – for example for marketing.

You can do this by simply writing to the organisation or person holding your details and outlining your views. Within 40 days, they must do as you ask or explain why they will not do so.

Right to remove your details from a direct marketing list

If a data controller holds personal details about you for direct marketing purposes, you can ask them to remove your details. You can do this by writing to the organisation or person holding these details. They must let you know within 40 days if they have dealt with your request.

Right to object

A data controller may intend to use your details for official purposes, in the public interest or for their own interests. If you feel that doing so could cause you unnecessary damage or distress, you may ask the data controller not to use your personal details.

This right does not apply if:

• you have already agreed that the data controller can use your details;
• a data controller needs your details under the terms of a contract to which you have agreed;
• election candidates or political parties need your details for electoral purposes; or
• a data controller needs your details for legal reasons.

You can also object to use of your personal details for direct marketing purposes if these details are taken from the electoral register or from information made public by law, such as a shareholders' register. There is no charge for objecting.

Right to freedom from automated decision making

Generally, important decisions about you based on your personal details should have a human input and must not be automatically generated by a computer, unless you agree to this.  For example, such decisions may be about your work performance, creditworthiness or reliability.

Right to refuse direct marketing calls or mail

If you do not want to receive direct marketing telephone calls, you should contact your service provider. They will make a note of your request in the National Directory Database (NDD) 'opt-out' register. It is an offence to make direct marketing calls to any phone number listed in the NDD. If you have not included your phone number in this register, you can also refuse such calls by simply asking the caller not to phone you again.

An organisation must get your permission before they contact you by fax machine or automated dialling for direct marketing purposes.

An organisation must also get your permission before they send marketing emails to your computer or before they send marketing text messages to your mobile phone.

4. Ensure Accountability

Accountability is one of the data protection principles - it makes you responsible for complying with the GDPR and that you must be able to demonstrate your compliance. You need to put in place appropriate technical and organisational measures to meet the requirements of accountability.

There are a number of measures that you can, and in some cases must take including:

• adopting and implementing data protection policies;
• taking a ‘data protection by design and default’ approach;
• putting written contracts in place with organisations that process personal data on your behalf;
• maintaining documentation of your processing activities;
• implementing appropriate security measures;
• recording and, where necessary, reporting personal data breaches;
• carrying out data protection impact assessments (DPIAs) for uses of personal data that are likely to result in high risk to individuals’ interests;
• appointing a data protection officer; and
• adhering to relevant codes of conduct and signing up to certification schemes.

Accountability obligations are ongoing. You must review and, where necessary, update the measures you put in place. If you implement a privacy management framework this can help you embed your accountability measures and create a culture of privacy across your organisation. Being accountable can help you to build trust with individuals and may help you mitigate enforcement action.

5. Train Your Staff and Update Your Policies

You should provide data protection training for all staff on GDPR implications ensuring they are aware of the relevant policies and changes. 

Organisations are increasingly vulnerable to the risk of loss, damage or destruction of their data and the new requirement to notify the DPC within 72 hours of a breach means you should ensure staff are trained on how to keep data secure.

A key principle of the GDPR is that you process personal data securely by means of ‘appropriate technical and organisational measures’ – this is the ‘security principle’.

Doing this requires you to consider things like risk analysis, organisational policies, and physical and technical measures. Where appropriate, you should look to use measures such as pseudonymisation and encryption.

Data Retention and Disposal Policy: One of the six privacy principles under the GDPR is “storage limitation.” This should include the measures you are taking to ensure the security of data during the period it is retained, and how you will securely dispose of the data when it is no longer needed. The GDPR does not specify particular retention periods, but you should not hold on to data longer than necessary.

Privacy Notice: Staff need to be informed about the data you hold about them, how it will be processed, details about the organisation’s lawful right to process it, and how their right to privacy will be respected.

Data Subject Access Requests Policy: Data subjects – those whose data is held or processed by an organisation – have the right to make a subject access request to find out what information is held about them. There is now a shorter timeframe for a response (one month) and no fee payable, make sure your policy reflects this.

Data Breach Reporting Policy: HR departments need to inform their staff about the steps an organisation would take in the event of a data breach. This should be a comprehensive plan that follows the guidelines set out by the DPC, and include the need to report data breaches within 72 hours and inform the relevant parties.

D - Data - What data is protected and what to do when an employee asks for references about them in their personnel file or in an investigation report to be expunged.

What Constitutes Data?

When you give your personal details to an organisation or individual, they have a duty to keep these details private and safe. This process is known as data protection. We refer to organisations or individuals who control the contents and use of your personal details as 'data controllers'.

Most of us give information about ourselves to groups such as Government bodies, banks, insurance companies, medical professionals and telephone companies to use their services or meet certain conditions. Organisations or individuals can also get information about us from other sources. Under data protection law, you have rights regarding the use of these personal details and data controllers have certain responsibilities in how they handle this information.

You have the right to data protection when your details are:

• held on a computer;
• held on paper or other manual form as part of a filing system; and
• made up of photographs or video recordings of your image or recordings of your voice.

In the context of an employment relationship, personal data will include an employee’s name, gender and other social characteristics, such as race or religion and date of birth; home address and contact details; employment history information; payroll and tax information; bank account information; and just about any information that relates to an identified or identifiable employee.

Requests for Erasure

Once a request for erasure is made on one of the bases in Article 17(1), the employer must erase it without delay unless continued retention is necessary for certain specified reasons contained in Article 17(3), including the need to comply with a legal obligation; exercising an official authority; and the establishment, exercise, or defence of legal claims.

P – Protection of personal data – how to encrypt HR data, protocols for mobile devices and practical advice for staff when working from home.

Encryption

Encryption protects information stored on mobile and static devices and in transmission. It is a way of safeguarding against unauthorised or unlawful processing of data. There are a number of different encryption options available. Organisations should consider encryption alongside other technical and organisational measures, taking into account the benefits and risks that it can offer.

Data controllers should have a policy governing the use of encryption, including guidelines that enable staff to understand when they should and should not use it.

Encryption is the process of encoding information stored on a device and can add a further useful layer of security.  It is considered an essential security measure where personal data is stored on a portable device or transmitted over a public network.  As with passwords, this measure is pointless unless the key to decrypt the data is kept secure. 

More information on encryption can be found here:
https://www.dataprotection.ie/docs/Data-security-guidance/1091.htm#6

Mobile Devices

There is a recent trend to allow employees to use their own devices at work. Essentially, this means that the device is connected remotely to company systems. There are obvious risks in this - the employee's personal device can be lost or stolen, confidential proprietary information can go missing more easily, and there are legal risks as well, as the device is not owned by the company but is responsible for the personal data belonging to the company that may be on the device. If a company allows its employees to use their own devices at work it is essential to have a ‘bring your own device’ policy in place to address these issues.

Organisations should consider encryption, automatic data deletion and remote data deletion to minimise the risks involved. Many companies have an ability to delete their information remotely. This means that if the employee loses his device, the company may be able to recover or delete company information from it.

David Fagan, data protection expert and head of Business Legal, provides an excellent video series on data security which is available on the Legal-Island hub:
https://www.legal-island.ie/regular-features/data-security/

Home Working

Nowadays there is an increasing number of employees working from home. It is important for employees to ensure confidential information is safe and secure whilst doing so. Staff need to understand the importance of protecting personal data, become familiar with their organisation’s security policy and put its procedures into practice.

R- Regulation and compliance – how to build data protection into your HR meetings, training and decision-making processes.

Data Protection by Design and Default: You should integrate appropriate technical and organisational measures into your processing activities and business practices to implement the data protection principles and safeguard individual rights. This is ‘data protection by design and by default’.

Data protection by design and by default are legal requirements under the GDPR, as outlined in Articles 25(1) and 25(2).

Data protection by design is ultimately an approach that ensures you consider privacy and data protection issues at the design phase of any system, service, product or process and then throughout the lifecycle.

As expressed by the GDPR, it requires you to:

• put in place appropriate technical and organisational measures designed to implement the data protection principles; and
• integrate safeguards into your processing so that you meet the GDPR's requirements and protect the individual rights.

Data protection by default requires you to ensure that you only process the data that is necessary to achieve your specific purpose and links to the data protection principle of data minimisation.

You must consider things like:

• adopting a ‘privacy-first’ approach with any default settings of systems and applications;
• ensuring you do not provide an illusory choice to individuals relating to the data you will process;
• not processing additional data unless the individual decides you can;
• ensuring that personal data is not automatically made publicly available to others unless the individual decides to make it so; and
• providing individuals with sufficient controls and options to exercise their rights.

The key is to take an organisational approach that achieves certain outcomes, such as ensuring that:

• you consider data protection issues as part of the design and implementation of systems, services, products and business practices;
• you make data protection an essential component of the core functionality of your processing systems and services;
• you only process the personal data that you need in relation to your purposes(s) and that you only use the data for those purposes;
• personal data is automatically protected in any IT system, service, product, and/or business practice so that individuals should not have to take any specific action to protect their privacy;
• the identity and contact information of those responsible for data protection are available both within your organisation and to individuals;
• you adopt a ‘plain language’ policy for any public documents so that individuals easily understand what you are doing with their personal data;
• you provide individuals with tools so they can determine how you are using their personal data, and whether you are properly enforcing your policies; and
• you offer strong privacy defaults, user-friendly options and controls, and respect user preferences.

DPIAs (Data protection Impact Assessments) are an integral part of data protection by design and by default. They can be used to identify and reduce the data protection risks of your processing activities. They can also help you to design more efficient and effective processes for handling personal data.

• Under the GDPR, DPIAs will be mandatory for any new high-risk processing projects.
• The DPIA process will allow you to make informed decisions about the acceptability of data protection risks, and communicate effectively with the individuals affected.
• Not all risks can be eliminated, but a DPIA can allow you to identify and mitigate against data protection risks, plan for the implementation of any solutions to those risks, and assess the viability of a project at an early stage.
• If a DPIA does not identify mitigating safeguards against residual high risks, the Data Protection Commissioner must be consulted.
• Good record keeping during the DPIA process can allow you to demonstrate compliance with the GDPR and minimise the risk of a new project creating legal difficulties.

Training Resources

Did you know we offer an eLearning Data Protection in the Irish Workplace course which is tailored specifically to provide your employees with comprehensive training and you with an evidence trail for the DPC, should a data breach occur.

Useful Tools

More information on DPIAs can be found on the Data Protection Commission’s website:
http://gdprandyou.ie/data-protection-impact-assessments-dpia/

The Data Protection Commission has a wealth of resources that can help organisations implement data protection principles into their training and processes:
http://gdprandyou.ie/resources/

This article is for general information purposes only and does not constitute legal or professional advice. Most of the guidance contained in this article was derived from information found on the Data Protection Commission’s website:

https://www.dataprotection.ie/docs/Home/4.htm

Their guidance document ‘The GDPR and You’
http://gdprandyou.ie/wp-content/uploads/2017/05/The-GDPR-and-You-2.pdf

And information from the ICO website (UK supervisory body): 
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/?q=staff+training