GDPR – 8 Key Questions That HR Leaders Must Ask Themselves

1. Are You Fully Up To Speed with what GDPR is?

GDPR is a new EU regulation governing data privacy procedures, which replaces the Data Protection Act 1998 and has been rigorously updated to take into account the heightened risk of cyber crime and warfare and identity theft. Compliance with the Data Protection Act 1998 does not mean automation compliance with the new directive. The GDPR has more stringent requirements and much harsher penalties for non-compliance, than its predecessor, including larger fines and prosecution. A root and branch review is needed,  no matter how compliant your data privacy processes were prior to the introduction of GDPR.

‍2. Is Your Organization Taking GDPR Seriously Enough yet?‍

New more punitive financial penalties reflect GDPR’s intent to tackle the threat of cyber-crime and cyber terrorism on society. Administrative fines for data breaches now have risen under GDPR to up to 4% of turnover or 20 million euros, which ever is bigger. (The limit was £500,000 under the previous Data Protection Act 1998). The resultant damage to your reputation, productivity and the potential loss of customers could compound the financial fallout even further.

3. Do You Know Why Google Were Fined Under GDPR?‍

Analysing and understanding the exact reason why Google were fined will crystallise your understanding of GDPR, and its correct application. It might highlight shortcomings and risks in your own GDPR compliance process too. You can read the full summary at the European Data Protection Board website. In summary, Google received it’s fine for a, "lack of transparency, inadequate information and lack of valid consent regarding ads personalisation".  
The Data Protection Board press-released the reasons for their fine carefully, both as a warning but also as a way of educating Data Controllers in how to comply with the GDPR. The press release gives important insights in what a real-world breach of procedure looks like. It also lets us see how stringently the Data Protection Board are actually applying the law in practice. It will also help to set legal precedents that can inform and guide your own compliance activity.

4. Are You Incorrectly Relying on Consent as Justification for Processing Personal Data?‍

The Google case shows us that the area of consent is a potential banana skin. It’s important that you have a robust process in this area.  Know that you can no longer rely on practices such as ‘implied’ or ‘opt-out’ consent as was accepted practice under the previous Data Protection Act 1998.
The new GDPR privacy law tightened up in this area, meaning that consent must be “specific and unambiguous”. This new, explicit requirement complicates the HR process, because it also comes with a requirement that for consent to be valid, it must be “freely given”.

However, where there is a power imbalance between the person giving consent and the party receiving, (as in the employer-employee relationship), consent is unlikely to be valid.

This suggests it will be quite hard for employers to rely on consent as a reason for processing employee data. It’s recommended by legal professionals that HR professionals rely on alternative justifications for fairly processing personal data under GDPR and these are, ‘being necessary for the performance of the employment contract’ or that there are ‘legitimate interests’ in processing the data. ‍

5. Are Your Staff Competent in the New Data Handling Regime?‍

For GDPR to be executed effectively in your organisation all staff need to be aware of their obligations and be trained to perform the necessary data handling tasks correctly. One-size-fits-all training will not be appropriate as data handling requirements can vary dramatically between job holder. Some budget will be necessary – and time will need to be set aside – for training, but this does not need to be expensive. There is an abundance of free or affordable, light-touch or deep-dive, and perfectly adequate e-learning courses available online. These will minimise cost and time away from the business, while delivering the GDPR awareness and competence you require. ‍

6. Have You Documented All Your Processes and Data Pathways?‍

Having clear documentation of your privacy process and data flows will help if your organisation experiences a data breach and/or (worse still), are being investigated by the information commissioners office. This is because GDPR takes into account the “intentional or negligent character of the infringement”, when deciding on whether to issue a fine and the level of fine that it may administer.So, despite the breach of data, if you can clearly demonstrate that you have healthy and compliant data flow and data privacy processes, it may serve to minimise any administrative fine. Remember, the maximum level of GDPR administrative fine is up to $4% of global turnover.

‍7. When Did You Organization Last Perform a Data Audit?‍

Organisational processes are generally perishable without continued maintenance, due to things like staff turnover, role changes, being overworked, sickness etc. It’s therefore advisable that your organisation’s GDPR compliance process is audited on a regular basis. The GDPR regulation doesn’t make any requirement for auditing, in particular, but as a proven, quality assurance process a record of regular audits should demonstrate a conscientious attitude to data privacy to the regulator in the event of a breach. Health and Safety and Finance audits generally happen on an annual basis and this kind of frequency would probably suit GDPR. There are plenty of GDPR audit templates on line and in the UK, the Information Commissioner’s Office conduct free audits. These audit report outline risks and priorities and give you a set of recommendations to work with.‍

8. Are You Asking Your Suppliers Questions About GDPR Compliance before Appointing them?‍

By now, your sales teams might be used to receiving GDPR compliance questionnaires prior to engaging new clients. From the other side of the fence, a key part of getting your own house in order with GDPR is ensuring that your vendors and suppliers who are processing personal data are GDPR compliant. You should be asking your suppliers, who process personal data on behalf of your organisation, GDPR compliance questions. If your suppliers fail to answer the following questions satisfactorily, they may not be a suitable partner for your business.

1. Who is your Data Protection Offer and what are their specific duties?
2. Can you tell us what privacy and data handling training your employees have received and at what frequency?
3. Outline your systems for the detection and communication of breaches of data.
4. Explain where personal data that you are processing on our behalf is stored within your organization? If you are using a third party data processor, please tell us who they are and where the data is stored.
5. Explain how data is being anonymized and encrypted within your organization.
6. How does your organization detect and communicate data breaches?
7. Do you audit your GDPR process and if so how regularly do you do this?
8. Please explain your processes for destructing personal data associated with a data subject once it can no longer be legitimately held.
   

GDPR Takeaways

We know there’s a lot to take in, so here’s 6 important takeaways from this paper.

1. Compliance with the Data Protection Act 1998 does not mean automatic compliance with GDPR
2. GDPR administrative fines can reach up to 4% of annual turnover
3. It’s not enough to be GDPR compliant, you need to be able to demonstrate compliance
4. Staff need to train on GDPR compliant data handling practices to be effective
5. Ideally a GDPR compliance audit should take place about once a year
6. Be aware of the power imbalance between employer and employee when processing data