Home Business HR GUIDE to GDPR

HR GUIDE to GDPR

The Gibraltar Magazine

May 1, 2018

866

-advertisement-

Are you ready?

Your HR Guide to GDPR: This short guide aims to give you an overview of the main principles of GDPR, and provide you with a template schedule for recording your data processing.

What is GDPR?

The General Data Protection Regulations are very similar to the current DPA, so if you comply with that already, you have a great basis for GDPR.

In short, GDPR is a set of regulations intended to tighten up the data that companies hold on individuals, give those individuals more rights regarding that data, and means more accountability for the data controller. GDPR of course relates to data such as customer and marketing information, but this guide focuses on an employer’s duties, and employee (and applicant) rights.

GDPR comes into force on 25^th May 2018.

Definitions:

Data in this case means personal data relating to an identifiable individual.

For HR this includes all information held on the personnel file, HR e-Systems, emails and other monitoring information collected; even for example CCTV records and clocking-in records.

Processing means collection, storage, use, alteration, disclosure and destruction of data.

The Data Controller is you, as the employer.

Action: Check ICO resources for more information at ico.org.

What’s New in GDPR?

‘Data protection by design and default’ is new terminology and an overarching principle. Simply put, it means that data collected, processed, stored and accessed should be restricted to the minimum for each specified purpose. Data should only be kept for as long as necessary. Delete any out of date or unnecessary info.

Enhanced individual rights come into force:

Individuals have the right to be informed of how their data will be used. They can access, rectify, erase and object to data being held or processed. They also have the new right of portability, that is, the data can be transferred to another organisation on request.

What if the employee complains?

You will not be able to process data until you can show that the legitimate interest or legal basis outweighs the interests or rights of the employee.

What if an employee makes a Subject Access Request (SAR)?

Any data you hold on paper or electronically should be available to the individual, free of charge, in a commonly used format, electronically and within one month. You can ask them for what categories of data they need, and an explanation of why, to narrow down what you need to provide. You can, however, refuse or charge an admin fee for an excessive request(s).

Action: review policy and process docs relating to SARs

A ‘legal basis’ is needed to justify the processing of each data category. A legal basis can be a statutory requirement, such as recording for tax purposes, necessary for a legal obligation, or for the performance of the contract, like paying the individual or ensuring work is performed. For much employee data, the legal basis will be a ‘legitimate interest’, for example capturing data to improve workforce performance or to respond to a dispute.

Action: Use the template below to record the legal basis for each of your data categories.

‘Consent’ has a new definition: it must be freely given, specific, informed and unambiguous. It cannot be a tick box, assumed by silence or inactivity, opt-out or tied up in other Ts and Cs. You will most likely have privacy statements in your documents relating to data you currently collect.

The information you need to provide to employees and applicants now is much enhanced. You should include in your privacy notices:

The name of the Data Controller (employer) and contact details
DPO contact details (if you have one)
The purpose of colleting the data, the legal bases and legitimate interests
Categories of data processed
Data recipients
Any transfer of data outside the EEA
The period of data storage
Rights of the data subjects
Consequences of the data subject failing to provide information that might be necessary to perform a contract
Any automated decision making or profiling (this can be absence management triggers, attendance, holidays etc.)

This privacy notice must be provided at the point of data collection, for example on the form you ask a new employee to fill in with their personal information or referee details.

Action: review how consent is given and the privacy notices your people sign.

Creating and keeping your schedule

Creating an internal record of your data processing will give you a basis for reviewing all of the data you hold, why, what you do with it, and for how long. This is the first step to complying with GDPR, this must be produced on request by the governing body. It will also help to locate data if you get a SAR, or request to otherwise process data at an individual’s request.

Your schedule is the Who, What, Why, Where and When of data, and there is an example register available at thehrdept.gi.

BY SYLVIA KENNA

-advertisement-

HERITAGE AWARDS 2020

RNGS Marine Engineering Department Receive Hervert Lott Award

Sustainable Tips for the Festive Season from The Nautilus Project

Trialling of New Electric Buses in Gibraltar

Platinum Jubilee To Be Marked With Extra Bank Holiday in 2022

Don’t Bank On It!

Kleinwort Hambros Gibraltar

How to Value Your Business

Give Us a Sign

Discovery of the Round Tower

Refuse And Bagpipes

Let’s Talk… Real – Male Suicide

Hearts of Gibraltar – Natalie Hill

Covid, Clay, and Creative Ceramics

Artist Callout

Bookish… November 2020

Art Club – Empire State Building

THE SCOREBOARD – November 2020

Finding Zeeland

Harry’s French Onion Soup

Diary of a Wine Lover

The Spirit of Christmas and Illuminations

102nd Anniversary of Armistice Day – Wednesday 11th November 2020

Literature Week Programme of Events

The Creatives Exhibition with LEGO Bricks

Other Articles

SHOOTING STARS – New hatchlings at the range

Jack’s CHD Journey

1 MINUTE BROWNIE – Microwave mug dessert

Over 300 New Parking Spaces for Commercial Vehicles