Six months on from the GDPR, new study highlights discrepancies between data protection policies and practices among UK HR teams – despite 87 percent saying they are confident their processes are ‘fully compliant’ with the regulations. Claire Williams, head of people and data protection officer – CIPHR and Lucy Gordon, Senior Solicitor – ESP Law Ltd.
A third of HR teams admit to being in breach of the requirements of the General Data Protection Regulation (GDPR) by failing to delete personal data about employees, leavers and candidates after data-retention periods expire, according to a new survey by HR solutions provider CIPHR.
Although four-fifths (83 percent) of the 137 UK HR professionals surveyed said they have set retention periods for employee, leaver and candidate data, just 69 percent said they’d put these policies into practice and actually deleted data where retention periods have expired.
The apparent mismatch between the high proportion of HR teams who had updated policies (93 percent), introduced employee training (86 percent) or defined data retention periods (83 percent) and the relatively low proportion that are actively deleting expired data was a cause for concern, said CIPHR’s head of people and data protection officer Claire Williams.
“We’re entering a period now where HR professionals need to focus on enforcing the policies they’ve put in place. While the majority of organisations have done the necessary work to write policies, create new procedures and train staff, there remains a question over whether data-protection principles have actually been built into the design of the organisation, to ensure they are being adhered to consistently. It is proof of an intrinsic culture of data protection that the Information Commissioner’s Office (ICO) would be looking for during an inspection.”
The study also found that HR professionals are widely ignoring one of the ICO’s key recommendations for GDPR compliance: that of enabling self-service access to data. Only a third (31 percent) of respondents said they had enabled self-service access to personal data for employees in response to the GDPR, with that proportion falling dramatically for job applicants (7 percent) and former staff (4 percent).
Williams commented: “I’m really surprised that employers aren’t actively using self-service – which is such a common, widely used tool – to assist them in adhering to the GDPR principles, especially in relation to ensuring individuals’ rights, such as the right to access and the right to rectification. The GDPR sets out very clear rights for individuals in relation to how they access, rectify and erase data, and enabling self-service is an easy way to comply with those requirements. Not to mention all the other benefits associated with self-service HR for staff – such as improved data accuracy, absence management, better communication and, ultimately, higher employee engagement.”
The findings are at odds with HR professionals’ confidence in their compliance with the GDPR’s requirements. Six months on from the 25 May 2018 deadline, 87 percent of respondents said they were ‘very’ or ‘somewhat’ confident that their HR processes were now fully compliant with the regulations. Their confidence fell to 79 percent when asked about their wider organisation’s compliance with the GDPR.
“Although these are promising results in some regards, it’s vital that organisations don’t become complacent about GDPR compliance,” said Williams. “They need to make sure that policies and procedures are built into the fabric of the organisation, are consistently implemented, and are regularly reviewed and audited.”
Lucy Gordon, senior solicitor at ESP Law Ltd, also warned organisations not to become complacent. “Much of the detail of how compliance will work in practice is yet to be confirmed,” she said. “I would encourage businesses to update and modify their processes as time goes on in line with the current guidance. It’s also prudent to keep training employees about their obligations so that bad habits don’t develop and to audit processes regularly to ensure that they remain compliant.”
CIPHR’s survey also found that two-thirds (65 percent) of HR teams had requested consent from employees, leavers and applicants to hold their personal data. This high proportion could signal a misunderstanding of the GDPR’s eight lawful bases for data processing – only one of which is consent – said Williams. “The majority of data that organisations hold about their employees is usually driven by contracts or legitimate interests, so I’m surprised that such a high proportion of respondents are actively seeking consent to hold data.
“HR teams – and organisations more widely – must be actively considering the lawful bases for the ongoing processing of data, and take appropriate action if that purpose is no longer relevant,” added Williams. “More than half (51 percent) of HR professionals told us that they are relying on alerts outside their HR and recruitment systems – such as calendar reminders or paper notes – to remind them to manually delete records when their retention periods expire.
“Implementing HR and recruitment systems that have sophisticated data-retention dashboards – such as those in CIPHR’s software – will alleviate the burden of manual HR administration because they automatically identify and flag when records need to be deleted or anonymised, or if consent to process data needs to be extended.”
Gordon added: “There are certainly opportunities to make greater use of automated systems to assist with prompting the deletion of data. Most businesses seem to be relying on antiquated methods of diarising dates for deletion but these are prone to human error and delay. There is a surprisingly high number of respondents who have not deleted records where retention periods have expired and this suggests that these methods need revising to ensure that the appropriate action is taken. Consolidating your HR systems and data retention strategy removes the risk of human error and reliance on individuals responding to reminders.”