GDPR: lessons for HR a year on
In the lead up to 25 May 2018 when GDPR was introduced, media headlines warned of stomach-churning substantial fines for failure to comply with new data protection legislation. Many organisations in the UK relaxed when there was no visit made from the Information Commissioner's Office (ICO) once 25 May 2018 had come and gone, despite not being fully GDPR compliant. But that’s a very reckless attitude to take.
There have been a number of headline-grabbing cases which show just how damaging failure to comply with data protection law can be, both from a financial and reputational basis. Behind the headlines there are numerous employers who have been reported to the ICO by individuals who have suffered personal data breaches, who will have spent considerable cost and time investigating and taking remedial action. Reputational damage can also be a concern where data breaches have to be disclosed as part of bid processes.
One trend we are seeing is for claimants looking to get compensation through an employment tribunal to submit subject access requests. Individuals have the right to do this at all times and without needing to show cause. Tactically this can work to divert the employer’s attention away from dealing with the tribunal claim. The time and costs of dealing with such requests can be significant and can encourage employers to settle out of court.
Due to resourcing issues and the difficulty in identifying what is disclosable to a data subject, HR can find it problematic dealing with subject access requests . Challenges include understanding what counts as personal data, options in relation to redaction and what exemptions can be relied upon (because not all data needs to be disclosed). Finally, there’s the response to such requests, where HR needs to explain why it has the data it does. There’s also the potential that through such requests an employer could expose themselves to other breach related claims, either by revealing additional failings or inadvertently disclosing someone else’s data.
Another challenge for HR teams relates to data retention of employee records, which can be a minefield, as the principle of data minimisation will require different retention times for different data types. If you’re trying to comply with best practice, the amount of resource that now needs to be allocated to it is beyond most HR teams. We put together a retention guidance note for one client which ran to some 27 pages of advice. It’s just a very complex area of law.
The ICO has been clear all along that compliance with GDPR is a journey rather than a destination, meaning those who brought in data protection policies a year ago will need to review these to ensure they remain fit for purpose.
But many businesses have still failed to make any serious effort to alter their policies as a result of GDPR. Failing to comply means firms can face fines of up to €20 million or 4% of turnover, and with the passage of time the ICO is likely to take an increasingly dim view of those who have failed to act.
The French have a phrase for those who ignore things by sticking their head in the sand and hoping things will go away: ‘faire l’autruche’. This is not the right time for ostrich impressions.
TIPS: How to take proactive preparation around GDPR
- Conduct a GDPR audit to identify potential compliance gaps. Employers who have already done this should carry out yearly audits
- Train employees to understand the importance of data protection and how they can play their respective parts in helping the business in its compliance obligations
- Run a mock subject access request to see how you would cope
- Make sure you have an effective policing system, including conducting random checks on internal compliance with data-related policies.
Gwynneth Tan and Stuart Lawrenson (pictured) are employment partners at Shoosmiths
What did you think about this content? Use the stars below to give it a rating out of five.