On the 25th May, the European Union (EU) brought into force the General Data Protection Regulation (GDPR), with the aim of harmonising data protection laws across Europe as well as giving greater protection to individuals. It is one of the biggest changes to data protection rules over the last two decades.
GDPR will have a significant and far reaching impact on how businesses collect, process, store and transmit two types of data – personal data and its subset – sensitive data. Additionally, due to the regulation being the first extraterritorial law that extends beyond the EU, it will impact any Australian organisation that controls or processes information of an EU resident regardless of whether it takes place in the EU or not.
Many Australian businesses will have to comply with GDPR and the big changes it brings to data protection, particularly in regards to individuals’ rights and the collection and processing of personal data. Failure to do so could not only cost the business financially but could also run the risk of damaging its reputation.
An individual’s rights
One of the most prominent changes GDPR brings is an increase in the rights individuals have regarding their personal information. Under the new regulation, individuals have the right to be informed, right of access, right to rectification, right to erasure (right to be forgotten), right to restrict processing, right to data portability, right to object and rights in relation to automated decision making and profiling.
This is a big deal for businesses, as they now need to know exactly where every piece of personal identifiable data is held. And, it needs to be accessible. This becomes even more complex if a business has shared it with a third-party, as they will have to get the third party to erase all copies of the data as well.
Collecting and processing personal data
GDPR also brings in tighter rules in regards to obtaining consent from individuals to collect their data, as well as what they do with it once it is collected. This is why you may have noticed a flood of emails hitting your inbox around updated privacy policies.
Businesses are now required to request active consent to use individuals’ data which must be ‘freely given’. This means no more pre-checked boxes, inactive consent or paragraphs of legal fine print are allowed. When requesting consent, they need to inform the individual exactly why they are collecting the data, how it will be processed, what it will be used for and how long it will be kept, all in easy to understand language and terminology, which essentially means no legal jargon.
Additionally, there is not a catch-all consent form. For each different personal data processing operation, the business needs to confirm consent from the individual. Consents are also not permanent. Individuals may withdraw their consent at any time.
Non-compliance will be costly
The EU is likely to come down hard on businesses found to be blatantly non-compliant with GDPR. Businesses can be issued with fines of up to four per cent of its annual global turnover or €20 million, whichever is greater.
There are no exclusions or exceptions either. Every business is accountable, as long as the clauses related to the scope of GDPR apply to them.
It is not just financial risks businesses need to be aware of. With the huge privacy debates taking place on a global scale, employees and customers are becoming increasingly aware of how their data is being used.
Hence, anyone to be found in breach of applicable privacy laws could be at risk of serious reputational damage. Additionally, the ability for customers to request the transfer of their data at any time could lead to further complexity with retention.
Why GDPR matters to HR and payroll
So, why does GDPR matter to HR and payroll? The main reason is, under GDPR, personal data includes that of employees, as well its customers and clients. This is different to current Australian Privacy laws, which do not apply to employees.
HR and payroll teams need to know and understand the new data privacy regulations set out in GDPR, and how they apply to employees. This will increase the obligations of the business to protect its HR data, as well as what employees can request from the company.
An employer normally has to collect many personal data elements from its employees for various reasons. Some of these data elements may fall into the category of ‘sensitive personal data’.
As such, employees will enjoy the same level of protection through GDPR as customers. All requirements of GDPR, like data low maps, data protection impact analysis, and technical measures, will now need to be considered from a HR and payroll perspective.
So, what are the things to be mindful of and how can payroll and HR teams prepare for GDPR?
The question of obtaining consent
Obtaining employee consent, often combined with the employment contract, has been one of the common ways used by employers to legitimise the collection and processing of employees personal data.
Now, with obtaining consent being made more stringent under GDPR, employers should instead rely on another basis for processing, such as ‘processing is necessary for the purposes of the legitimate interests pursued by the controller’ and ‘processing is necessary for compliance with a legal obligation to which the controller is subject’.
Both of these reasons would require clearly establishing and communicating the purposes, such as why monitoring employee behaviour is necessary, or why a certain type of data element is required for their payroll in a very clear manner.
However, these reasons are not limited to these purposes only. If the purpose itself is not legitimate, merely stating it is insufficient to stand the test of scrutiny against the protections offered to individuals in GDPR. According to the regulation, business interests are overridden by the interests or fundamental rights and freedoms of the data subject. Thus, the reasons for processing personal data must be robust to ensure compliance.
Employee rights and requests
Under GDPR, employees will have the same rights as a customer or client when it comes to their personal data. This means they have the right of access, the right of correction, the right of movement and the right of erasure to any data held by an employer subject to the associated conditions and exceptions for each of these rights under GDPR.
If an employee makes a request to exercise their data subject rights, the employer will have to fulfil it within a month.
One common practice is to use this information to build an intranet page or portal for employees, which details what data you collect, how it is collected, how it is used and how long it is stored. This needs to be written in plain language that is easy for all employees to understand. Businesses that operate across multiple languages may want to make translations available for these notices.
It should also detail the rights employees now have over their data and clearly outline the process for employee requests and who is responsible.
Since data protection and privacy are so closely related, access to any employee personal information should be restricted to authorised personnel only. Failure to do so will be treated as a data breach, and the employer will have to go through all associated processes.
The new regulations brought in by GDPR are far-reaching and large in scope. Organisations that have an existing privacy program, based on applicable APAC privacy laws, may find themselves enjoying a good degree of inherent compliance to GDPR. However, they may still need to work towards meeting the specific requirements of GDPR.
Even those that are not operational in the EU could use the GDPR framework as a best practice model to adhere to. After all, increasing awareness about data privacy and the way businesses manage information will continue to draw attention from governments, media and customers.
For payroll operations, GDPR will have a significant impact on how employees’ personal data is collected and stored, especially if ‘special categories of personal data’ (sensitive personal data) is included. This means getting on top of the data you and your partners use.
Anij Janardhanan is the Head of Global Compliance and Business Excellence at payroll and human capital management software solutions provider Ascender.
Anthill has updated it’s privacy page to reflect these changes and the data we collect. For further information, please click here: http://anthillonline.com/privacy-policy/