The new General Data Protection Regulations (GDPR) are now less than six months away; coming into force on the 25th May 2018 and significantly changing data protection law in the UK. For HR in particular, GDPR means big changes to the way in which we manage the data we hold about our employees.
The new regulations are designed to ensure that only the minimum amount of personal data is collected and kept for no longer than absolutely necessary. In terms of the processing of any data that is collected, it must be limited to that specific purpose.
What does HR need to know about GDPR? Here are our top five key facts.
Consent -When we process people data, typically we rely on a clause in a Contract of Employment that provides consent to do so. This isn’t going to be the case under GDPR; consent must be ‘freely given, informed, specific and explicit’. So a general contractual clause will no longer suffice. The HR function will need to ensure they gain appropriate consent to lawfully process employee data or rely on other legal grounds to do so.
Subject Access Data Requests – In HR we are used to handling requests from employees to see the data that we hold about them. Under GDPR the data now has to be provided within one month – and you will no longer be able to make a charge for providing it. The GDPR may well lead to increased employee awareness of the right to request the data held about them – so HR should prepare for additional applications.
Information at the point of data collection – Under GDPR, employers will need to provide more information to people about how their data will be processed at the time they collect it. There is a lengthy list of the information that needs to be provided, and if data is then processed for a new purpose employees must be notified again.
Data Breaches – If your employee data is subject to many types of data breach, IT related or otherwise, you must now pro actively report this to the Information Commissioner. You will need to have a process to ensure that this happens.
Claims – The GDPR will make it easier for individuals to bring claims against employers in the event of a data breach – and receive financial compensation for loss or hurt feelings. At the same time, fines against companies for non-compliance will be much higher than under current data protection legislation.
Taking all of this into account, there are some steps that HR should be taking right now. Here are our top recommendations:
Audit your current processes. What people data are you processing? How is it managed? What people data are you transferring to other organisations such as benefits providers? Identify any potential risks and take action.
Review the data that you are holding about your employees, former employees and job applicants today – if you are don’t need it, then it’s time to delete or destroy it.
Update information provided to job applicants and employees about how their data will be processed to ensure it complies with the enhanced provisions under GDPR.
Check your current HR policies that relate to data processing and update them accordingly – consider your policies on recruitment, absence, references and employee monitoring in particular.
Consider how you will handle requests for personal data in the future and put a procedure in place to respond to data subjects.
Finally – most important thing HR can do in terms of preparing for the GDPR – is start now!
You can also join us for an informative Webinar about GDPR, lead by Jon Curtis, managing Director of myhrtoolkit limited. Jon Curtis is a founder partner of Sheffield-based commercial law firm Ironmonger Curtis and Managing Director of HR software company Myhrtoolkit Limited. you can register by clicking here.