The new General Data Protection Regulations (GDPR) are coming into force on the 25th May 2018. These regulations will significantly change data protection law in the UK. For HR in particular, GDPR means big changes to the way in which we manage the data we hold about employees. However, there are ways to make sure GDPR and HR work together in harmony for your organisation.
The new regulations ensure that organisations only collect the minimum amount of personal data and keep it for no longer than absolutely necessary. In terms of the processing of any data that is collected, it must be limited to that specific purpose.
GDPR and HR: 5 Key Facts
Here are the five most important things to know about when it comes to GDPR and HR records and practices:
When we process people data, typically we rely on a clause in a Contract of Employment that provides consent to do so. This isn’t going to be the case under GDPR; consent must be ‘freely given, informed, specific and explicit’. So a general contractual clause will no longer suffice. The HR function will need to ensure they gain appropriate consent to lawfully process employee data or rely on other legal grounds to do so.
Subject Access Data Requests
In HR we are used to handling requests from employees to see the data that we hold about them. Under GDPR the data now has to be provided within one month. In addition, you will no longer be able to make a charge for providing it. The GDPR may well lead to increased employee awareness of the right to request the data held about them. Due to this, HR should prepare for additional applications.
Information at the point of data collection
Under GDPR, employers will need to provide more information to people about how their data will be processed at the time they collect it. There is a lengthy list of the information that needs to be provided, and if data is then processed for a new purpose employees must be notified again.
If your employee data is subject to any type of data breach, IT related or otherwise, you must now proactively report this to the Information Commissioner. You will need to have a process to ensure that this happens.
Data Breach Claims
The GDPR will make it easier for individuals to bring claims against employers in the event of a data breach – and receive financial compensation for loss or hurt feelings. At the same time, fines against companies for non-compliance will be much higher than under current data protection legislation.
Taking all of this into account, there are some steps that HR should be taking right now. Here are our top recommendations:
- Audit your current processes. What people data are you processing? How do you then manage it? What people data are you transferring to other organisations such as benefits providers? Identify any potential risks and take action.
- Review the data that you are holding about your employees, former employees and job applicants today. If you don’t need it, then it’s time to delete or destroy it.
- Update information provided to job applicants and employees about how their data will be processed to ensure it complies with the enhanced provisions under GDPR.
- Check your current HR policies that relate to data processing and update them accordingly. Consider your policies on recruitment, absence, references and employee monitoring in particular.
- Consider how you will handle requests for personal data in the future and put a procedure in place to respond to data subjects.
HR and GDPR: the main takeaway
Finally, the most important thing HR can do in terms of preparing for the GDPR is start now!
For more information about myhrtoolkit’s approach to GDPR click here.