Companies need to start hiring Data Protection Officers in readiness of GDPR, advises Allen & Overy

Allen and Overy Big ThinkCity law firm Allen & Overy has just produced this Guide for HR Directors: “Data with Destiny” as part of its Big Think Programme.

What organisations need to start doing today

First, make sure they are ready to comply with a stricter and systematically different regime – and many are not yet anywhere near that position.

Second, and more importantly, they must not lose sight of the bigger prize that is on offer to them if they put data to use in innovative ways, in particular the huge potential of HR Big Data Analytics…

The firm sees Data Protection Officers (DPOs) as essential in leveraging this opportunity.

Companies should start recruiting DPOs NOW

DPOs must perform their duties independently, meaning that they must not take instructions from anyone else internally, but they are likely to look to HR for input in a range of areas – such as training, performance management, and procedures to be followed when employees join, leave and make subject access requests.

Companies need to adjust existing compliance management schemes to reflect the increased importance of data privacy. These should implement the new legal requirements and procedures, and introduce new roles, such as DPOs, into governance structures to ensure compliance.

Need for building greater transparency with policies and procedures

Companies must create much greater transparency around their use of data. They need to build clear policies and principles so that they can go to their Data Protection Authority and say: we have a clear road map of how we are going to handle these issues in the HR context.

And it’s just as vital to keep employees and their representatives closely informed. It sends the right messages and will minimise the risk of actual breaches, as well as those alleged by staff.

Costs will increase as a result

Compliance will be costly and companies need to build that additional cost into their budgets. There will be increased staff costs, for a start. The draft Regulation would require employers processing large volumes of data to appoint a Data Protection Officer (DPO).

Just hiring a DPO won’t be enough

In some cases, one DPO won’t be enough.

Employers need to start asking themselves now what additional staff they are likely to need. They also need to understand to what extent their HR functions need additional training and new skill sets to make the most of data in a compliant way. Documentation and processes will need to be overhauled to ensure employers have a clear picture of what data they hold, where it is being transferred to and how and why it is being processed. And this will need to be done flexibly.

EU General Data Protection Regulation (GDPR) 

The (GDPR) will be subject to further change as it is finalised at EU and local level. But there is nothing to prevent employers from getting the audit and gap analysis process underway – and we strongly advise that they should.

The new tougher European framework will clearly leave employees elsewhere with an unequal level of protection, so one of the most important jobs will be to create alignment across borders. Some will opt for a minimalist approach.

Allen & Overy are working with a number of European clients who have chosen to extend protections offered by the proposed EU Regulation to their global workforce through the use of a global minimum policy which can tie in nicely with a company’s corporate social responsibility (CSR) programmes.


Tags:  ,

Leave a reply