Home Business HR GUIDE to GDPR

HR GUIDE to GDPR

May 1, 2018

622

Are you ready?

Your HR Guide to GDPR: This short guide aims to give you an overview of the main principles of GDPR, and provide you with a template schedule for recording your data processing.

What is GDPR?

The General Data Protection Regulations are very similar to the current DPA, so if you comply with that already, you have a great basis for GDPR.

In short, GDPR is a set of regulations intended to tighten up the data that companies hold on individuals, give those individuals more rights regarding that data, and means more accountability for the data controller. GDPR of course relates to data such as customer and marketing information, but this guide focuses on an employer’s duties, and employee (and applicant) rights.

GDPR comes into force on 25^th May 2018.

Definitions:

Data in this case means personal data relating to an identifiable individual.

For HR this includes all information held on the personnel file, HR e-Systems, emails and other monitoring information collected; even for example CCTV records and clocking-in records.

Processing means collection, storage, use, alteration, disclosure and destruction of data.

The Data Controller is you, as the employer.

Action: Check ICO resources for more information at ico.org.

What’s New in GDPR?

‘Data protection by design and default’ is new terminology and an overarching principle. Simply put, it means that data collected, processed, stored and accessed should be restricted to the minimum for each specified purpose. Data should only be kept for as long as necessary. Delete any out of date or unnecessary info.

Enhanced individual rights come into force:

Individuals have the right to be informed of how their data will be used. They can access, rectify, erase and object to data being held or processed. They also have the new right of portability, that is, the data can be transferred to another organisation on request.

What if the employee complains?

You will not be able to process data until you can show that the legitimate interest or legal basis outweighs the interests or rights of the employee.

What if an employee makes a Subject Access Request (SAR)?

Any data you hold on paper or electronically should be available to the individual, free of charge, in a commonly used format, electronically and within one month. You can ask them for what categories of data they need, and an explanation of why, to narrow down what you need to provide. You can, however, refuse or charge an admin fee for an excessive request(s).

Action: review policy and process docs relating to SARs

A ‘legal basis’ is needed to justify the processing of each data category. A legal basis can be a statutory requirement, such as recording for tax purposes, necessary for a legal obligation, or for the performance of the contract, like paying the individual or ensuring work is performed. For much employee data, the legal basis will be a ‘legitimate interest’, for example capturing data to improve workforce performance or to respond to a dispute.

Action: Use the template below to record the legal basis for each of your data categories.

‘Consent’ has a new definition: it must be freely given, specific, informed and unambiguous. It cannot be a tick box, assumed by silence or inactivity, opt-out or tied up in other Ts and Cs. You will most likely have privacy statements in your documents relating to data you currently collect.

The information you need to provide to employees and applicants now is much enhanced. You should include in your privacy notices:

The name of the Data Controller (employer) and contact details
DPO contact details (if you have one)
The purpose of colleting the data, the legal bases and legitimate interests
Categories of data processed
Data recipients
Any transfer of data outside the EEA
The period of data storage
Rights of the data subjects
Consequences of the data subject failing to provide information that might be necessary to perform a contract
Any automated decision making or profiling (this can be absence management triggers, attendance, holidays etc.)

This privacy notice must be provided at the point of data collection, for example on the form you ask a new employee to fill in with their personal information or referee details.

Action: review how consent is given and the privacy notices your people sign.

Creating and keeping your schedule

Creating an internal record of your data processing will give you a basis for reviewing all of the data you hold, why, what you do with it, and for how long. This is the first step to complying with GDPR, this must be produced on request by the governing body. It will also help to locate data if you get a SAR, or request to otherwise process data at an individual’s request.

Your schedule is the Who, What, Why, Where and When of data, and there is an example register available at thehrdept.gi.

BY SYLVIA KENNA

Carers’ Support Group

STEM Inspirational Awards

Fire Services continue LNG Awareness and Incident Command Training

Pilot Residential Parking Schemes – Zones 1 and 2 Changes

Launch of Gibraltar Association for New Technologies Boosts Blockchain Ecosystem

GIBRALTAR DAY IN TEL AVIV

YOUR PROPERTY PORTFOLIO

The Future of Retail

Taxing Times for UK Property

MACAQUES ON THE MED STEPS

A SILENT STEP IN THE RIGHT DIRECTION

PATRIZIA IMOSSI – A New Leaf on Art

MENORCANS IN GIBRALTAR

A BOY FROM RED SANDS (Henry Valerga)

MTV Gibraltar Calling: Looking Back

FOR THE LOVE OF LITERATURE

THE POISONED ROCK

BORN OF SILK AND SPICES

DIARY OF A NOVICE BOOT CAMPER

WINTER TREND REPORT

MAN OF THE MOMENT JOSEPH CHIPOLINA

NOVEMBER ISSUE EDITOR’S NOTE

hello there – WHICH BOOK CHARACTER FIRST INSPIRED YOU?

OCTOBER ISSUE EDITOR’S NOTE

Hello There – What’s your favourite song of 2018?

Related

Latest article