The GDPR amplifies the jurisdiction of EU data protection in its substance, authority and its international reach. It is no longer restricted to the EU but brings into its sights any company that deals with the movement or transfer of personal data outside of the EU for EU citizens.
The problem HR professionals face is that consideration will need to be given to your EU employees that work outside the EU in your organisation’s international offices, and also any third parties you may use to provide ’virtual’ HR services when dealing specifically with EU citizens’ data.
Helping your HR department to comply with the GDPR
If you are an international company with offices outside of the EU, you will have to gain a better understanding of your company’s data flows, especially where that applies to employee data and/or if the data is in a centralised location being managed by a third party.
To that end, if your company outsources any part of its HR function, or your company uses any type of third-party HR management software, the GDPR establishes a new legal challenge. Under the current Data Protection Act 1998, both third-party suppliers and data processors were only held to account against contractual agreements.
However, under Chapter IV sec (1) Article 28 of the GDPR, data processors will be obliged to fully comply with the Regulation in relation to the processing of personal and sensitive data and, by default, face the fines that will be levied or applied by the GDPR if this is breached.
From an HR perspective, it will be important that your organisation’s current processes, policies and procedures fully comply with the Regulation in the areas of employee consent, handling sensitive data and dealing with subject access requests, especially in the area of Article 84 which covers penalties for failure to comply.
10 tips for HR to comply with the GDPR:
Carry Out an HR Policy Audit
You will need to carry out a detailed HR policy audit comparing your existing HR policies regarding the management of your global employees (especially those who are EU citizens working outside the EU) with the GDPR and clearly identify where you find gaps in your policies.A couple of key areas to consider are:
- Employee Consent
A direct impact on HR will be in relation to the use of consent as grounds for processing employee personal data. Non-specific, that is, consent not specifically given and documented by an employee to processing is unlikely to be considered valid under the GDPR. Therefore, where appropriate, you must have a policy and an auditable documented process in place to gain the necessary consent from employees. As your EU employees are working outside the EU, then sending an encrypted email is the quickest method to gain consent, which also demonstrates an audit trail.
- Special categories of personal data under GDPR? Employee Data
This consists of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation. Rights and obligations in connection with employment and social protection are regarded as legitimate ground for processing. Other than the aforementioned; under no circumstances can this data be used for processing without explicit consent from the employee. Again, you will be required to have a fully auditable documented process in place, so encrypted email provides solid evidence that you have explicit consent from any overseas employees.
Develop a Data Protection Awareness/Training Programme for Employees
If you have not done so already, you should develop an ongoing data protection awareness programme within your organisation and put into place a training programme for all employees – including your overseas employees.
- Data Protection Training
For your global employees, this should cover a read through of your company’s data security processes, procedures and policies either via a web-based product or, if you are planning an annual global staff event, use some form of classroom environment, the end of which results in a test, whether that be electronic or paper based. Keep records of the outcome for auditing purposes. This exercise should be repeated every 6 months or annually, dependent on legislative changes, or business change.
- Data Protection Awareness
An ongoing data protection awareness programme should be developed internally to maintain a form of ongoing training. Visibility is key and posters serve as a good method of maintaining awareness. Other methods could include monthly updates in your company newsletter which you send to your overseas offices or awareness days within your company.
Identify Where Your Employee Data is Stored
Carry out an audit exercise, in conjunction with your IT department, to fully understand where all your employee data is located. By located, I mean where in the world it is geographically located. This will have an impact as the GDPR states that all European personal data should be located within the EU.
However, if conditions have been met under Binding Corporate Rules between your organisations in relation to processing personal data outside the EU then that processing would be able to take place.
If you find that your employees’ data is stored in one of your offices which is outside of the EU, then the data needs to be removed and transferred to a secure data facility within the EU.
Furthermore, your IT Department will need to ensure that your non-EU office purges this data from their systems and provides an auditable trail to confirm the data purge has been carried out. Personal data can only be transferred to countries outside the EU when an adequate level of protection is guaranteed, such as using firewalls, etc.
Data transfers should not be made to non-EU countries that do not ensure adequate levels of data protection.
Review Your Third-party Supplier Contracts
Work closely with your legal team to ensure that any third-party contracts in place for HR software meet the new regulation requirements as we outline in the checklist below.
The GDPR will impose both direct compliance obligations on data processors as well as specific contractual requirements for the data controller to include in its data processing agreement with the data processor under Article 28.
Make sure your third-party contracts include the following points:
If necessary, have you updated the definitions in your third-party supplier contracts to reflect the revised definitions in the GDPR, such as handling special categories of personal data?
- Data Breaches
In the event of a data breach, will the supplier notify you without undue delay after becoming aware of the breach? In the event of a data breach, will the supplier co-operate with you to investigate and remediate the breach, co-operate with any supervisory authorities and law enforcement and assist with any notifications as required?
Do you require the use of specific technical measures, such as pseudonymisation or encryption to ensure adequate data security? Will the supplier implement data protection by design where applicable?
- Record Keeping and Processing
Is the supplier’s data processing set up so that it can help you respond to and fulfil data subject requests (e.g. with respect to their right to data portability, right of access, right to rectification, right to erasure (‘right to be forgotten’), right to restriction of processing, right to object to processing, and right to not be subjected to automated profiling). The supplier should be required to make available to you all information necessary to demonstrate the supplier’s compliance with their processing obligations. The supplier should be required to maintain a record in writing of all categories of processing activities carried out on your behalf and make such records available to you or a supervisory authority upon request together with the contact details of your DPO
Work with Your IT Department
If your organisation has multiple IT departments globally, you will need to work with them in order to centralise their efforts to ensure the correct policies and processes are in place for the processing of employee data, both from a personal perspective and when handling sensitive data.
Furthermore, ensure that the correct permissions have been set globally as to who has access to HR data and keep a detailed record of the decisions made.
Understand Your Company’s Use of Employee Data
Ensure you are aware of what your organisation uses your employee data for, where that data is located (See Tip 3) and what third parties (local and international) are engaged in relation to the processing of that data.
Review Your Recruitment Processes
Fully review all your employment policies, processes and procedures, including your recruitment process. If you are working with international recruiters you must ensure that if they are using automation in any part of the hiring process, they must seek consent from the individual, especially if that individual is an EU citizen, and must be transparent about what they are doing and the criteria they are applying when engaging with the candidate. They must also inform you of the process and keep a detailed audit of their process.
Review Employee/Contractor Contracts
Review all your employee contracts and contracts you may have with consultants, employment agencies and service providers to ensure that they fully comply with the GDPR. This will apply not just to global organisations or individuals but also those within the EU.
Warning: It will be your responsibility to ensure that this is done. If you discover that there is non-compliance, then you will need to seek compliance with the agency or look for a new one that does comply.
Establish a Rectification Programme
Where there is incomplete or inaccurate data held about an employee, you have a mandatory obligation to rectify what is incomplete. Employers should notify any third parties to which employee data has been transferred to make the necessary amendments. Furthermore, there must be an auditable process to ensure that the changes have been made. If the data exists across several systems, then the changes must be reflected across those systems.
Review How Your Data is Currently Transferred Between Your International Offices
The GDPR permits personal data transfers to your international organisation subject to compliance with set conditions, including conditions for onward transfer.Similar to the framework set out in the current Data Protection Act 1998, the GDPR allows for data transfers to countries whose legal regime is deemed by the European Commission to provide for an ‘adequate’ level of personal data protection.
In the absence of an adequacy decision, however, transfers are also allowed outside non-EU states under certain circumstances, such as by use of standard contractual clauses or binding corporate rules (BCRs).
Here are some useful elements to consider:
- Are you transferring the data to a country outside the EU?
- Is the transfer necessary?
- Does the EU formally consider the non-EU country you are transferring data to, to have an adequate level of data protection? Has there been an adequacy decision?
- Does your company have, or can it put into place, adequate safeguards between itself and the other parties to protect that data (e.g. model contractual clauses or binding corporate rules)?
- Subject to a risk assessment and legal advice, does your company want to consider making its own assessment of adequacy?
- If the transfer is to the United States of America, has the US recipient of the data provided adequate protection for the transfer of personal data? Are they signed up to the EU/US Privacy Shield?
The GDPR clearly represents a significant compliance hurdle, particularly to companies with oversees employees. In an HR context, it is important to recognise that the GDPR must be implemented in conjunction with the UK’s current data protection legislation, alongside UK employment law.
The GDPR expressly provides EU nation states with some scope to set out national rules, specifically in relation to HR-related data. You must, therefore, maintain an awareness of developments at a national level, especially in relation to equality, recruitment and health and safety provisions.
Employers should, however, take some comfort that some element of harmonisation between EU data protection law and the UK’s eventual domestic position will be necessary. Compliance with the GDPR’s requirements, will likely be the most efficient way for organisations to be futureproof.