The General Data Protection Regulation (GDPR) has been in effect for just over four months. For all the hype and trepidation that spread across the business world in the lead up to May 25th 2018, the noise has now somewhat dissipated.
So, what has been the impact of GDPR four months on, both on HR and the wider business? And how much is the Information Commissioner’s Office (ICO) ready and willing to flex its new powers?
For the latter, this may become clear very soon when we see what action is taken against British Airways (BA) for its recently reported data breach, in which its customers’ financial data was stolen from 380,000 online transactions. Based on GDPR penalties, BA could be fined up to £489m.
We have already seen that the ICO is prepared to act. In July, the Independent Inquiry into Child Sex Abuse was fined £200,000 after a staff member mistakenly inserted email addresses into the ‘To’ field, rather than the BCC field, in a mass email – allowing all the recipients to see all the other addresses.
At this stage, we have only seen the high profile incidents make the news so it is unclear at this stage how smaller breaches will be dealt with by the ICO.
When it comes to the impact of GDPR on the HR function, there are several notable trends emerging, as follows:
1. Heightened director liability
The ICO often struggles to collect fines for data breaches, as it can only impose them on the actual organisation that’s guilty of the offence. So, to avoid punishment, directors often dissolve the company, or put it into liquidation, and start a new business under a different name – thus evading fines.
But, under the new GDPR legislation, the government is now consulting on plans to give the ICO powers to fine directors personally when their companies transgress.
So, HR must make directors aware they could be personally liable for any data offences an organisation may commit – regardless of the status of the company.
Many HR departments have been dealing with a significant increase in Subject Access Requests (SARs) from employees since GDPR came into force. The new legislation gives anyone the right to see the personal data held by any organisation, including their employer.
In some cases, employees have a genuine concern about what data is being held and processed and want to check its accuracy. But some companies are reporting SARs being made with little reason, other than to inconvenience employers with the possibility of getting compensation if a problem is discovered
It’s a time-consuming, administrative process, but HR is legally obliged to treat each SAR the same – and provide an answer within one month of receipt (although this can be extended to two months in complex cases).
3. Complications with gig economy workers
Gig economy workers, those on short-term or freelance contracts who can be classified as ‘self-employed’, are causing headaches for many HR departments thanks to GDPR.
This is because GDPR requires a company to show a high degree of control over the employee data it controls – regardless of their employment classification. But, to satisfy courts and tribunals that gig economy workers are correctly classified as self-employed, a low degree of control must be demonstrated.
This is a potentially damaging and costly paradox and one that is currently being played out in the courts through a case involving Deliveroo, which classifies its food delivery workers as self-employed. The result could have far-reaching implications for employment classification.
4. Making HR systems comply with GDPR
A great deal of the GDPR burden is falling on HR departments, requiring them to pull data together from numerous sources for reporting purposes. This task is admin-heavy and presents the possibility of human error, which is no defence where data breaches are concerned.
So, many HR departments are investing in data management and workflow tools that reduce this pressure and the threat of non-compliance. There are many examples of companies that have invested in new systems that automate data collection tasks and enable HR staff to easily manage data and produce reports.
GDPR is here to stay and businesses have had to adapt. Compliance is becoming business as usual and there is much-heightened awareness of best practice when it comes to data privacy. So from that perspective, the new legislation is working.
It’s also clear that the ICO is prepared to act and punish organisations that break the rules on a significant scale. How far the ICO takes less serious cases remains to be seen.
From an HR point of view, it’s more vital than ever to understand all the requirements of GDPR to help safeguard your business and your employees. But it is yet another responsibility to add to a function that is often saddled with an excessive administrative burden, so finding ways to automate and streamline GDPR processes is where many HR teams are now focusing.