Data Protection unlocked for HR: How to ensure compliance?

Show Notes

Data protection is increasingly crucial for HR as regulations evolve and data breaches become more common. In the second episode of the ‘Data Protection Unlocked for HR’ podcast series, Harry Berryman and Shauna Jones, members of the Clarkslegal data protection team, share invaluable insights on how HR can ensure compliance, safeguard employee data, and maintain privacy standards. Key areas covered in the episode include:

• Workplace policies and procedures
• The crucial role of the Data Protection Officer
• The significance of providing data protection training for both HR and employees

The episode is designed to equip listeners with the knowledge of best practices and effective strategies to secure sensitive information. 

If you have any questions or want to discuss data protection law and how it applies to you in more depth, please contact our data protection team, who would be happy to help.

Transcript

Shauna Jones 00:05
 
Hello and welcome to the second instalment of our series Data Protection Unlocked for HR. My name is Shauna Jones and I am a trainee solicitor within both the employment team and data protection team. 

Harry Berryman 00:17

Thanks Shuana. Yes hello, my name is Harry Berryman and I’m a solicitor, also in the Employment and Data Protection Teams. In our first episode we discussed why data protection is important for HR. Today we will be providing further tips on how you can ensure compliance through the use of policies and procedures within your organisation. Our colleagues, Sana and Lucy, provided an oversight of data protection law and explained some of the key principles you should bear in mind when dealing with personal data in the first episode of our series. In HR, you will be in control of various types of data in relation to your employees such as employees’ names, addresses and contact details which you need to take care of correctly in accordance with the principles outlined in the first episode. A Data Protection policy can be helpful in that it lays out procedures for your organisation to follow which can help ensure compliance with monitoring and security requirements. It also helps put employees at ease by putting all information regarding how their data is being treated in one place.

Shauna Jones 01:15 

Exactly,  a survey in 2021 by the ICO held that over 50% of respondents linked the level of trust they had in a company with how they dealt with their personal data. Therefore, on top of being a good way to demonstrate compliance with your obligations, being transparent and open with your employees regarding your procedures via a written policy is extremely beneficial to your organisation.  However, there is no one size fits all policy and you may want to tailor this to your organisation. You may simply incorporate relevant procedures into the employee handbook rather than have a standalone policy.  We will discuss today what your organisation may want to consider incorporating to ensure data protection compliance.  So first things first, what are some things that might need to be considered?

Harry Berryman 02:04

Some organisations will already have a Data Protection Officer, known as a DPO. It’s not necessary for every organisation to have a dedicated DPO - they are only required if you are a public authority, deal with large scale and regular monitoring, or deal with large scale special data categories.  These special categories include, for example, health, religious beliefs, or race or ethnic origin.

However, the GDPR does require that all organisations, regardless of size, should have someone who is responsible for monitoring compliance. If your organisation doesn’t already have a go-to person, then this may be something you want to consider. 

Having one employee known as being in charge of data protection is helpful for employees as they know who to reach out to in case of a potential breach or any queries they may have regarding data protection. In terms of demonstrating accountability and compliance to the ICO, having one individual whose roles and responsibilities involve dealing with the data you hold is a good idea. That person can then consider some of the remaining tips we will discuss today as part of their duties. 

The key question is: what duties might you consider giving them?

Shauna Jones 03:12

Well, the principle of minimisation is important in data protection. Not only can regular reviews help you ensure your practices are compliant, they can flag up data which is no longer required to be retained and can be deleted. One of our tips in our first episode was to ensure your organisation meets this principle by deleting unnecessary data after a period of time. The reviews and monitoring of data to determine whether it should still be kept can be a responsibility given to your DPO. Additionally, you can ensure this is done by putting in place an additional policy known as a Data Retention Policy. What might you consider putting in this policy?

Harry Berryman 03:55

Well, this policy sets out how long you might keep data, where it will be stored in the meantime, and when you might decide to delete data. There’s a requirement under GDPR to maintain a record of any processing activities you carry out, which involves setting out proposed erasure time limits so having something similar to a data retention policy in place can be largely beneficial in demonstrating this requirement.  It may be that you don’t require a policy but a retention schedule which sets out when certain types of data will be deleted might be sufficient. 

Shauna Jones 04:25

Yes, similar to a data protection policy, there’s no one size fits all and you might find it simpler to just have a retention schedule. On the other hand, if you deal with sensitive data such as criminal convictions, there is an additional requirement under the Data Protection Act 2018 that a policy must be in place for this explaining how long the information will be retained and why the information is being retained in the first place. 

Harry Berryman 04:49

You may also be required to hold onto certain data under regulatory requirements. One example in HR is the tax records of your employees which you are obliged to hold on to for certain minimum periods. All of this shows that there can’t be a one size fits all approach to data and it’s important to carry out regular reviews on what sort of data you are holding, whether it can be deleted, and most importantly, that it’s being held lawfully and securely. Now that we’ve talked about how HR teams specifically deal with data, it’s also important to consider how to ensure the rest of the organisation will comply.

Shauna Jones 05:23

Well, our previous tips involve setting out what you will do in a policy so employees can read it and be kept informed regarding how data is controlled but you may also need to consider what type of training they require and how often this should be carried out.  Legislation like GDPR and DPA apply to all employees. Training is required for employees so they know how to deal with the personal data that they deal with on a day to day basis. For example, personal data is any data which you can use to identify a person. Emails sent in ordinary business life can include personal data and sending an email to a mistaken recipient may mean a data breach has been committed. Training should be given to all employees on how to recognise a data breach and explain who they should report the breach to within the organisation. 

Harry Berryman 06:10

Yes. Some departments, such as HR, may require more in-depth training due to their access to sensitive data.  We have mentioned special data categories earlier in the podcast, which require particular attention.

Information regarding an employees’ health requires further protection due to its sensitivity. As this is something you will need to deal with in relation to sick notes and leave, or possibly in relation to requests for flexible working, it’s essential that you are aware of the additional requirements that you will need to comply with in storing this data. You will need to look at the type of data which is being collected and determine how in depth this training will need to be. 

Shauna Jones 06:46

Thank you for taking your time today to listen to a few tips on how to ensure compliance with data protection legislation. Of course, we have only discussed a few ideas in how you should incorporate data protection in to the workplace but we hope it has provided some inspiration. 

Harry Berryman 07:01

Yes, thank you for listening. If you would like to discuss any of the potential tips please get in touch with our data protection team. Otherwise, please watch out for our next episode of Data Protection Unlocked for HR.