Are you ready?
Your HR Guide to GDPR: This short guide aims to give you an overview of the main principles of GDPR, and provide you with a template schedule for recording your data processing.
What is GDPR?
The General Data Protection Regulations are very similar to the current DPA, so if you comply with that already, you have a great basis for GDPR. If you are having problems getting your GDPR right (and it’s essential that you do!) then you should contact a consultant that specialises in GDPR for help.
In short, GDPR is a set of regulations intended to tighten up the data that companies hold on individuals, give those individuals more rights regarding that data, and means more accountability for the data controller. GDPR of course relates to data such as customer and marketing information, but this guide focuses on an employer’s duties, and employee (and applicant) rights.
GDPR comes into force on 25th May 2018.
Definitions:
Data in this case means personal data relating to an identifiable individual.
For HR this includes all information held on the personnel file, HR e-Systems, emails and other monitoring information collected; even for example CCTV records and clocking-in records.
Processing means collection, storage, use, alteration, disclosure and destruction of data.
The Data Controller is you, as the employer.
Action: Check ICO resources for more information at ico.org.
What’s New in GDPR?
‘Data protection by design and default’ is new terminology and an overarching principle. Simply put, it means that data collected, processed, stored and accessed should be restricted to the minimum for each specified purpose. Data should only be kept for as long as necessary. Delete any out of date or unnecessary info.
Enhanced individual rights come into force:
Individuals have the right to be informed of how their data will be used. They can access, rectify, erase and object to data being held or processed. They also have the new right of portability, that is, the data can be transferred to another organisation on request.
What if the employee complains?
You will not be able to process data until you can show that the legitimate interest or legal basis outweighs the interests or rights of the employee.
What if an employee makes a Subject Access Request (SAR)?
Any data you hold on paper or electronically should be available to the individual, free of charge, in a commonly used format, electronically and within one month. You can ask them for what categories of data they need, and an explanation of why, to narrow down what you need to provide. You can, however, refuse or charge an admin fee for an excessive request(s).
Action: review policy and process docs relating to SARs
A ‘legal basis’ is needed to justify the processing of each data category. A legal basis can be a statutory requirement, such as recording for tax purposes, necessary for a legal obligation, or for the performance of the contract, like paying the individual or ensuring work is performed. For much employee data, the legal basis will be a ‘legitimate interest’, for example capturing data to improve workforce performance or to respond to a dispute.
Action: Use the template below to record the legal basis for each of your data categories.
‘Consent’ has a new definition: it must be freely given, specific, informed and unambiguous. It cannot be a tick box, assumed by silence or inactivity, opt-out or tied up in other Ts and Cs. You will most likely have privacy statements in your documents relating to data you currently collect.
The information you need to provide to employees and applicants now is much enhanced. You should include in your privacy notices:
- The name of the Data Controller (employer) and contact details
- DPO contact details (if you have one)
- The purpose of colleting the data, the legal bases and legitimate interests
- Categories of data processed
- Data recipients
- Any transfer of data outside the EEA
- The period of data storage
- Rights of the data subjects
- Consequences of the data subject failing to provide information that might be necessary to perform a contract
- Any automated decision making or profiling (this can be absence management triggers, attendance, holidays etc.)
This privacy notice must be provided at the point of data collection, for example on the form you ask a new employee to fill in with their personal information or referee details.
Action: review how consent is given and the privacy notices your people sign.
Creating and keeping your schedule
Creating an internal record of your data processing will give you a basis for reviewing all of the data you hold, why, what you do with it, and for how long. This is the first step to complying with GDPR, this must be produced on request by the governing body. It will also help to locate data if you get a SAR, or request to otherwise process data at an individual’s request.
Your schedule is the Who, What, Why, Where and When of data, and there is an example register available at thehrdept.gi.
BY SYLVIA KENNA
Beverly Bultron
[…]always a major fan of linking to bloggers that I love but really don’t get a whole lot of link enjoy from[…]
Arie Baisch
[…]check beneath, are some completely unrelated web sites to ours, having said that, they are most trustworthy sources that we use[…]
MILF City
[…]here are some links to web pages that we link to because we believe they’re really worth visiting[…]
Madelyn Monroe Masturbating
[…]Wonderful story, reckoned we could combine a couple of unrelated information, nonetheless seriously really worth taking a appear, whoa did a single study about Mid East has got extra problerms at the same time […]
Lila Lovely BBW
[…]just beneath, are several totally not associated internet sites to ours, having said that, they are surely worth going over[…]
domain-portfolio
[…]the time to study or go to the subject material or web-sites we’ve linked to beneath the[…]
Custom Assignment Writing Services
[…]here are some links to web pages that we link to since we assume they are worth visiting[…]
valentine gift
[…]Sites of interest we’ve a link to[…]
valentine pillow
[…]Here is a good Weblog You may Locate Fascinating that we Encourage You[…]
valentine gift for her
[…]although websites we backlink to beneath are considerably not associated to ours, we feel they are truly worth a go via, so have a look[…]
Click Here
[…]usually posts some really intriguing stuff like this. If youre new to this site[…]
Click Here
[…]Sites of interest we’ve a link to[…]
Click Here
[…]we came across a cool website that you simply might get pleasure from. Take a search in the event you want[…]
Comments are closed.