5 December, 2018
The General Data Protection Regulation (GDPR) became directly applicable across the European Union (EU) on 25 May 2018 and is widely recognized as one of the most stringent privacy-focused regulations in the world.
In addition to aiming to further harmonise European data protection standards, the greater ambition of GDPR is to provide individuals with higher levels of transparency and control over their personal data, as well as increasing the burden on data controllers and processors to demonstrate accountability and compliance with their obligations, including those related to data security and breach reporting.
Importantly for Chinese-headquartered organisations, the GDPR's onerous obligations have an extra-territorial scope.
This means that its requirements are not simply relevant to companies within the EU and will "catch" China-based businesses where they process HR personal data in the context of the activities of any EU-based establishments or where they monitor the behaviour of members of their workforce who are based in the EU. This may include not only the Chinese companies which have EU subsidiaries or presence but depending on the circumstances may also include those which engage independent contractors or service providers in EU. As Chinese companies (and capital) become more integrated into a globalised environment, GDPR should certainly not be ignored.
It may be easy for businesses to overlook the processing of employee, applicant, candidates, secondees and contractor information as being less of a compliance priority than other areas of the business. However, HR and Talent functions act as the custodians of significant volumes of often sensitive or confidential personal data within any organisation; it is therefore vital to build these categories of information into any audit or compliance programme which is undertaken. Given the significantly enhanced penalties for non-compliance under the GDPR (including administrative fines of up to 4% of an undertaking's worldwide turnover or EUR 20 million (whichever is higher)), the stakes have never been higher.
From a practical perspective, we have identified a number of key, non-exhaustive action points for organisations – regardless of where they are situated – to whom the GDPR will apply and who wish to pursue compliance within their HR function. These are split between a number of key themes within the regulation. We have experience in each of these areas and would be happy to help guide your business through these challenging new requirements.
What are the key GDPR action points in respect of HR data?
1. Transparency:
Individuals engaged by any EU-based entity (whether employees, candidates, secondees, contractors, applicants, interns or volunteers, for example) need to be provided with more detailed, granular and accessible information setting out how their personal data is used. This is commonly set out in a 'privacy notice' and must be provided to individuals at the outset of any relationship and updated regularly.
Key compliance steps will include:
- Reviewing / updating employee and applicant-facing privacy notices to meet detailed information requirements.
- Implementing procedures to ensure notices are provided on time, updated in line with new processing activities and version control records are kept.
- Considering the introduction of tailored notices for specific, or risky, processing activities, such as background checks and the provision of certain benefits.
2. Individual rights:
Organisations will need to be aware of enhanced individual rights of access (under a refined data subject access regime), objection and rectification, as well as new rights to data portability, restriction and erasure. HR teams must be able to recognise and deal with individual requests within strict deadlines.
The following will assist with this:
- Introducing business-facing, practical guidance and training modules on recognising and responding to individual data protection requests under the GDPR.
- Working with IT / Tech teams to conduct system testing and ensure ability to properly respond to the exercise of each individual right at both technical and practical levels.
- Implementing formal retention periods for particular categories of HR data and conduct data cleansing exercises in accordance with these limits.
3. Legality of processing:
The processing of personal data for each identified HR purpose must be justified on at least one of a number of strictly prescribed legal grounds. The days of relying on employee consent, which will be harder to justify and is unattractive given rights to withdraw consent must be honoured, in the context of an employment relationship, are over.
Alternative legal grounds, such as reliance on an organisation's 'legitimate interests' or contractual necessity, will be required instead. Businesses should, at minimum:
- Audit and allocate specific GDPR-compliant legal grounds to all identified HR data processing activities and purposes relevant to EU-based establishments, including those involving special categories of (i.e. sensitive) personal data.
- Document valid legal grounds within privacy notices and, where possible or required under local laws, an organisation's record of processing activities.
- Update policy and contractual documentation (including employment contacts) to remove reference to employee consent as an applicable legal basis for processing if consent is not relevant.
4. Data quality and minimisation:
Businesses must be able to demonstrate 'data protection by design and default' within internal systems which are relevant to their EU operations, so that the concept of data minimisation (whereby the minimum amount of data is retained for the shortest possible period) is central within HR functions.
This can be achieved through a combination of technical, organisational and practical measures, such as the following:
- Introduce clear guidance and reporting frameworks to assess and approve the necessity and scope of all new or amended HR data processing initiatives.
- Formalise clear HR data retention limits (both internally and with vendors) and co-ordinate with IT to ensure internal implementation on a technical level.
- Draft business-facing guidance to ensure planned and / or current 'risky' processing activities are identified and subject to a GDPR compliant Data Protection Impact Assessment ("DPIA") (see point 8 below).
Consider whether the organisation needs to appoint a formal Data Protection Officer ("DPO") under the GDPR, or alternatively whether the appointment of dedicated privacy specialists whose job specification is clearly not that of a GDPR "DPO" can be justified. As the GDPR requires that a DPO acts independently and is not dismissed or penalised for performing their tasks, it is important to understand the implications of such appointment.
5. Data sharing:
Where European HR data is shared within a corporate group (such as on a HR IT platform or in the course of carrying out specific investigations or redundancy exercises), or with external service providers (such as those offering hosting platforms, employee database management products or facilitating benefits / payroll administration) organisations will need to implement new practical and contractual arrangements with each recipient to ensure they will handle the data properly.
The following steps would be sensible, at a minimum:
- Audit intra-group flows of personal data, classify potential recipients (i.e. data controller or processor) and implement enhanced data sharing agreements in line with GDPR duties.
- Map personal data flows to external HR vendors, undertake a classification exercise (as immediately above) and update written service contracts to reflect new requirements.
- Enhance any formal on-boarding process for vendors to include both privacy 'classification' and 'vetting' assessments (i.e. whether they can comply with their data protection obligations in practice). Schedule regular reviews.
- Ensure that data transfer obligations are met (see point 6 below).
6. Data transfers:
Whilst the GDPR does not fundamentally change requirements relating to the transfer of personal data outside of the EU, organisations reassessing their data sharing arrangements (as above) would be sensible to use this opportunity to consider the continued adequacy of their current international transfer mechanisms, including Standard Contractual Clauses ("SCCs"), Binding Corporate Rules and the EU-US Privacy Shield.
HR functions should focus on:
- Mapping international flows of HR data (both internal and external), bearing in mind that merely accessing information abroad constitutes a transfer for data protection purposes.
- Ensuring that where personal data is transferred outside the EEA, or another jurisdiction subject to an EU Commission adequacy decision, each potential recipient (whether a group entity or external third-party) is covered by a valid data transfer mechanism.
- Implement and maintain a 'living' database (possibly as part of a formal 'record of processing activity', see point 8 below) of personal data recipients and corresponding data transfer mechanisms, which can be provided to individuals on request.
7. Data breaches:
The GDPR raises the stakes in respect of personal data security, not least because of its significantly increased potential fines and sanctions should data breaches occur. Organisations will need to be able to quickly recognise, isolate, mitigate and respond to security incidents in line with a formal procedure, and report certain breaches to their regulator (within 72 hours) and / or individuals. HR functions and individual business units must be aware that the term 'data breach' is not limited to malicious hacking; misplaced hard-copy personnel files and erroneous email recipients can be covered too. Breaches could stem from employee actions which, on the face of it, seem innocuous, for example forwarding an email chain which contains personal data / sensitive data (e.g. ‘she is not coming to work today because her daughter has chicken pox’).
Risks can be reduced by taking the following minimum steps:Implement clear and well-rehearsed security / data breach procedures – in conjunction with IT teams – to ensure data breaches can be mitigated quickly, and reported within 72 hours.
Ensure appropriate technical and organisational security measures cover all HR systems and functions, including 'need-to-know' access limitations, encryption and regular training / guidance.
Subject security measures to periodic testing and evaluation – much like a fire drill – to ensure an organisation's ability to respond in varied scenarios.
Put staff on notice that any breach (whether electronic or physical) must be reported immediately, ensuring that disciplinary policies are updated to make clear that responsibility for, or failing to report, any security incident may be considered a disciplinary offence.
Review restrictive covenants, as well as confidentiality and IP provisions within employment contracts and consultancy agreements.
8. Accountability
Passive compliance with the GDPR is not possible. Instead, all relevant business functions – including HR – will now need to 'demonstrate compliance' with their data protection obligations. Organisations should work towards this requirement by: (i) introducing detailed data protection policies and training; (ii) subjecting internal controls to regular audit and review; and (iii) maintaining a comprehensive, up-to-date 'record' of all processing activities.
With this in mind, businesses should:
- Produce and maintain a comprehensive 'record of processing activity' in line with GDPR requirements, which can be provided to data protection authorities on request.
- Implement and / or update employee-facing policies and training (including IT and disciplinary procedures) addressing all key areas discussed above.
- Subject internal procedures and controls to regular review and testing, ensuring that results and remedial measures are properly documented.
- Consider undertaking DPIAs where processing appears 'risky', such as employee monitoring and background checks.
What is the Overall Impact of the GDPR for Chinese Companies?
At the same time as the development of the GDPR, China's new data protection framework has emerged in the past year and is in the final stages of confirming the rest of the implementing details.The GDPR and Chinese data protection rules share many common requirements. There are similar focuses, definitions, requirements, and even timings for implementation. In light of this, taking steps to satisfy new, enhanced privacy standards under Chinese law will undoubtedly further potential GDPR compliance.
Notwithstanding the above, there are notable gaps and some important differences between the GDPR and China's data protection regime; Chinese-based organisations with a European presence would therefore be well-advised to build a specific and comprehensive GDPR gap-analysis into any data protection compliance programme. We have experience in such matters and would be very happy to assist.
Ying Wang, Partner, Bird & Bird
ying.wang@twobirds.com
n.b.
This article is intended as an illustrative overview only, will not be appropriate for all organisations and is not intended to be a substitute for specific legal advice.
Please also note that under the GDPR, individual EU member states are entitled to introduce more detailed and restrictive local laws in respect of the processing of personal data within the employment context. Compliance programmes will need to take any local variations into account, as applicable to their countries of operation.