Are you ready?
Your HR Guide to GDPR: This short guide aims to give you an overview of the main principles of GDPR, and provide you with a template schedule for recording your data processing.
What is GDPR?
The General Data Protection Regulations are very similar to the current DPA, so if you comply with that already, you have a great basis for GDPR. If you are having problems getting your GDPR right (and it’s essential that you do!) then you should contact a consultant that specialises in GDPR for help.
In short, GDPR is a set of regulations intended to tighten up the data that companies hold on individuals, give those individuals more rights regarding that data, and means more accountability for the data controller. GDPR of course relates to data such as customer and marketing information, but this guide focuses on an employer’s duties, and employee (and applicant) rights.
GDPR comes into force on 25th May 2018.
Definitions:
Data in this case means personal data relating to an identifiable individual.
For HR this includes all information held on the personnel file, HR e-Systems, emails and other monitoring information collected; even for example CCTV records and clocking-in records.
Processing means collection, storage, use, alteration, disclosure and destruction of data.
The Data Controller is you, as the employer.
Action: Check ICO resources for more information at ico.org.
What’s New in GDPR?
‘Data protection by design and default’ is new terminology and an overarching principle. Simply put, it means that data collected, processed, stored and accessed should be restricted to the minimum for each specified purpose. Data should only be kept for as long as necessary. Delete any out of date or unnecessary info.
Enhanced individual rights come into force:
Individuals have the right to be informed of how their data will be used. They can access, rectify, erase and object to data being held or processed. They also have the new right of portability, that is, the data can be transferred to another organisation on request.
What if the employee complains?
You will not be able to process data until you can show that the legitimate interest or legal basis outweighs the interests or rights of the employee.
What if an employee makes a Subject Access Request (SAR)?
Any data you hold on paper or electronically should be available to the individual, free of charge, in a commonly used format, electronically and within one month. You can ask them for what categories of data they need, and an explanation of why, to narrow down what you need to provide. You can, however, refuse or charge an admin fee for an excessive request(s).
Action: review policy and process docs relating to SARs
A ‘legal basis’ is needed to justify the processing of each data category. A legal basis can be a statutory requirement, such as recording for tax purposes, necessary for a legal obligation, or for the performance of the contract, like paying the individual or ensuring work is performed. For much employee data, the legal basis will be a ‘legitimate interest’, for example capturing data to improve workforce performance or to respond to a dispute.
Action: Use the template below to record the legal basis for each of your data categories.
‘Consent’ has a new definition: it must be freely given, specific, informed and unambiguous. It cannot be a tick box, assumed by silence or inactivity, opt-out or tied up in other Ts and Cs. You will most likely have privacy statements in your documents relating to data you currently collect.
The information you need to provide to employees and applicants now is much enhanced. You should include in your privacy notices:
- The name of the Data Controller (employer) and contact details
- DPO contact details (if you have one)
- The purpose of colleting the data, the legal bases and legitimate interests
- Categories of data processed
- Data recipients
- Any transfer of data outside the EEA
- The period of data storage
- Rights of the data subjects
- Consequences of the data subject failing to provide information that might be necessary to perform a contract
- Any automated decision making or profiling (this can be absence management triggers, attendance, holidays etc.)
This privacy notice must be provided at the point of data collection, for example on the form you ask a new employee to fill in with their personal information or referee details.
Action: review how consent is given and the privacy notices your people sign.
Creating and keeping your schedule
Creating an internal record of your data processing will give you a basis for reviewing all of the data you hold, why, what you do with it, and for how long. This is the first step to complying with GDPR, this must be produced on request by the governing body. It will also help to locate data if you get a SAR, or request to otherwise process data at an individual’s request.
Your schedule is the Who, What, Why, Where and When of data, and there is an example register available at thehrdept.gi.
BY SYLVIA KENNA
