GDPR: 8 things your ought to know in HR & IT!
The arrival of the General Data Protection Regulation (GDPR) in the UK will change the way organisations like yours manage personal data. This could be anything from names or email addresses to more detailed information such as bank details or medical records. This legislation comes into effect on 25 May 2018 – less than a year from now – and will apply in all EU member states. The UK Government has confirmed that the GDPR will be implemented in the UK. As an employer you will need to rethink how personal data is collected, used and kept, from handling recruitment and employer references, to monitoring staff performance and storing records. Here are 8 things you need to know in order to be ready for the GDPR.
- GDPR affects small employers too
The GDPR will apply to organisations of all sizes. The fact that your organisation employs just 50 or 100 people doesn’t exempt you. However, not all organisations will be treated the same: employers need to take measures that are appropriate, taking into account a number of factors. If you’re not processing large amounts of data, or are not involved in high risk processing, you won’t be expected to commit as many resources to GDPR compliance as larger or more data intensive operations. There are very limited exemptions in terms of record-keeping requirements for organisations with <250 employees (these do not apply to the processing of sensitive data) but all other requirements of the GDPR apply. If you would like the 12 steps to become GDPR compliant, do email me, [email protected]
2. Employees have the right of access to their data
The Data Protection Act 1998 already gives employees the right to make a subject access request in relation to their personal data; under the GDPR, these rights will be extended. For example from 25 May 2018, employees will need to be advised of any recipients of the data located in countries outside of the European Economic Area. They will be entitled to know for how long the data will be stored; of their right to have data corrected or deleted; and of their right to request the restriction of processing. The GDPR will make it easier for people to request details of data held too. Fees can no longer be charged and employers will have to respond within a month. The GDPR does contain protection to prevent abuse of these rights but the principle is clear: employees are entitled to faster and easier access to their data.
3. GDPR will impact on the recruitment & induction process The arrival of the GDPR will bring new protections for potential employees and, with it, new responsibilities for recruiters. For example, you will need to formalise the reasons why data is processed and the period for which it will be retained, and provide this information to applicants. If you intend keeping information ‘on file’ in case similar positions become available, you’ll need their consent to do so. This applies to unsolicited job applications too. The regulation will – with certain exceptions – mean an end to decisions based solely on automated data processing (e.g. automated shortlisting based on qualifications). Even if one of the exceptions does apply, candidates must be advised of the automated decision-making and the employer must put in place certain safeguards. Obviously, induction will need to change, along with your staff handbook. If you would like a copy of our "Ultimate consent check-list", do email [email protected]
4. Individuals have the right to be forgotten The GDPR sets down the rights of individuals to ask that their personal data be erased. Reasons for this could be that it is no longer necessary in relation to the purposes for which it was originally collected; that it was ‘unlawfully’ processed; or that the individual objects to the processing on the basis of a legitimate interest of the employee and there are no overriding legitimate reasons for it to continue. Or the individual could simply withdraw his or her consent in circumstances where there are no other grounds for processing. If the data has been made public, you will also need to inform others that erasure of the data has been requested. There are certain circumstances (e.g. legal obligations or defence of a legal claim) when you would not have to comply with such a request, but processing for any other purposes would have to cease.
5. You may need to appoint a data protection officer If your organisation is a public body, your core activities involve large-scale data processing requiring regular monitoring of individuals, or there’s large-scale processing of sensitive personal data or data relating to criminal convictions, then the GDPR is clear: you will need to appoint a Data Protection Officer (DPO). Their job will be to make sure that everyone is aware of their rights and responsibilities, and to monitor compliance. The role can be contracted externally or carried out by a member of staff. The nature of the role is a sensitive one so under the GDPR the position should be independent of influence from the organisation. DPOs are protected from being dismissed or penalised for carrying out their duties.
6. Criminal Record Checks. Under the GDPR, employers would be allowed to carry out criminal records checks on prospective employees only if this is specifically authorised by law, for example where a Disclosure and Barring Service check is required for a role involving work with vulnerable adults or children. However, this is an area where the GDPR allows governments to set their own national rules to some extent. Under the proposed new UK data protection law, employers would be able to carry out criminal records checks in more circumstances than allowed under the GDPR. You may be able to carry out a check if it’s necessary for the purposes of performing or exercising employment law obligations or rights, or when the job applicant has consented to the check – provided that the consent meets the strict requirements under the GDPR. If your organisation currently carries out criminal records checks you should keep up to date with developments in this area.
7. Your will need to supply training for informing employees of their rights. A key requirement of the GDPR is that employees are informed and freely give permission about the processing of personal data you carry out, and this must be formalised in an information notice (aka a ‘privacy’ or ‘fair processing’ notice). This information provided to an employee, must be in plain, easy to understand language and includes, among other things: ? The identity and contact details of the employer ? The purposes – and legal bases – for data processing ? Details of any recipients of the data ? Details of any transfer outside the EEA ? The period for which the data will be stored ? The right of access to data and to request its rectification or erasure ? The right to withdraw consent (when the legal basis for processing is consent) ? The source of the data (if not directly from the employee)
For details of our "Ultimate consent check list", do contact [email protected]
8. Non Compliance can be, very, very, very costly. Compliance with the GDPR is not something to be taken lightly. If, as an employer, you breach your obligations, you could face a fine as high as €20 million or 4% of your organisation’s global turnover – whichever is greater. A number of factors would be taken into account in determining the fine: the nature, gravity and duration of the breach; the damage suffered by individuals; and any action taken by the organisation to mitigate this damage. Other tools available to regulatory agencies include specific compliance orders and a ban on processing personal data. You know you must act soon! If you would like a copy of our "Ultimate paperwork requirements" then do email [email protected]
If you would like help becoming legally compliant, then do contact us.
If you valued this post, please do share it and follow me, thank you. [email protected]