Does HR data processing require registration under data protection laws?
Data protection laws sometimes include conformity assessments, which help to ensure businesses follow regulations. Requirements can include registration before the Data Protection Authority and random audits.
The UK GDPR is oriented on “privacy by design” and “privacy by default.” UK-based Controllers (employers) and Processors (subcontractors) must implement all technical and organizational measures necessary to ensure the protection of personal data. In practical terms, the processing of personal data in every instance should be accompanied with the privacy concern in order to limit the amount of data processed from the outset. Two key considerations are the reasons for collecting the data and the potential consequences (risks) of maintaining and processing this data.
The consequence of this accountability principle is the reduction of required employee notifications, once controllers and processors conclude that processing the personal data does not constitute a risk to privacy. The Data Protection Act 2018 has a few compliance requirements to demonstrate accountability, such as:
- maintaining a register of treatments implemented
- the notification of security breaches (to the authorities and persons concerned)
- adherence to codes of conduct
- the DPO (Data Protection Officer)
- Privacy Impact Assessments (PIAs)
While registering with data protection authorities is not required, the UK instituted mandatory fees for some data controllers. Staff administration is exempt from this requirement but there are limits to this exception (ex. it doesn’t apply to applicant data and may not apply to certain cross-border transfers). Most employers choose to pay the small fee to the Information Commissioner’s Office.
Additional information can be found below:
HR Best Practices: Build in privacy considerations and risk assessments for all employee and candidate data collection processes. Follow the principles of “privacy by design” and “privacy by default.” The UK’s Information Commissioner’s Office (ICO’s) website provides a range of training materials including practical toolkits and training videos.