Whichever way you look at it, the soon to be introduced General Data Protection Regulations that are due to come in to force in May 2018 are confusing to say the least. They not only extend the current obligations on employers with regard to data protection in the workplace but also raise an awful lot of questions – where the answers aren’t particular clear, such as:
If an employee has the right to be forgotten – what happens if you get a reference request for an ex-employee?
If an employee withdraws consent to hold personal data – can I actually pay them?
So, we have pulled together a quick guide on the main impact of GDPR on Human Resources (HR) and employees, and some key steps to take to ensure you are compliant.
Main features of GDPR on HR & Employees
The list below are some of the main aspects for consideration when looking at becoming GDPR compliant.
Consent – employers should not rely on a statement in the employee’s contract of employment as a way of giving consent for an employer to hold, process and retain – personal information about employees. Consent should be – (a) freely given (b) specific (c) informed and (d) unambiguous
Data Protection Officer – employers may need to appoint a Data Protection Officer if the employer “whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences.” – most SME organisations will not need to appoint a DPO but you should allocate GDPR responsibilities to one member of the team
Employee Rights – the GDPR beefs up employee rights specifically giving them the right to (a) submit Subject Access Requests – Employers must respond to a request without undue delay (and, in any case, within one month of receiving the request); (b) right to withdraw consent to process personal data; (c) right to request employers to delete, freeze and correct information held about them and (d) the right to be forgotten, employees can request that personal data is removed when no longer required for the previous reasons (e.g at end of employment)
Legal Basis – an employer should explain the legal reason for holding, processing or retaining personal information about employees – the GDPR does not stop employers holding information, but states that employees should be made aware on what grounds the employer has to do this – (a) legitimate interest of the employer (e.g. in the context of employee monitoring); (b) a legal obligation (e.g. for the processing of employee data in relation to social security) or (c) contractual necessity (e.g. for the processing of employee payment data)
Privacy Notice – employers are required to establish a robust, easy to read, concise and transparent Privacy Notice that explains what information is being held about employees, why they hold it, where it is kept, how long its kept for, who has access to it, how an employee gives consent, how they withdraw consent and how they request access to their personal information
Data Breach Policy – employers are required to establish a formal process to notify employees and others where a data breach occurs, if the breach is serious employers where it could do harm to the employee – i.e losing bank account details and other information that could enable fraud, the employer will be obliged to contact the Data Protection Authority
What does HR need to do to implement GDPR
Appoint the responsible person for GDPR proposes, this should be someone who is senior enough to make decisions and enforce rules, as well be the single point of contact for employees who may have GDPR related questions or requests
Undertake an audit of what information is being held specifically:
What you process/hold
Why you are holding it
The legal basis for holding it
Who has access to it
Where is it kept
How long you retain it for
What happens to the information when employment ends
In terms of retaining information after employment, a simple guide to follow for pay information would be to follow standard accounting principles on retention which is 7 years, other information may be deleted on termination (such as requests for pay information from mortgage companies); other items may be retained for longer periods such as appraisal notes or disciplinary records (3 months to coincide with tribunal rules)
This is a good time to rethink what you are keeping and to thin out personnel files where information being held is no longer relevant.
Create the Privacy Notice – the main information for this will come from your Data Audit, along with general information relating to how an employee requests access to records, how consent is given, how does an employee remove consent, security of information held and who the responsible person is
Issue the Privacy Notice to the employees along with a specific consent document that clearly explains why you are seeking consent and the employees rights
Create your Data Breach policy, to show how you will handle breaches in security of data being held
Do you need more information?
If you’d like to know more about GDPR and how it will affect HR, see here (it may take a minute or 2 to load up):