Home Business HR GUIDE to GDPR

HR GUIDE to GDPR

May 1, 2018

Are you ready?

Your HR Guide to GDPR: This short guide aims to give you an overview of the main principles of GDPR, and provide you with a template schedule for recording your data processing.

What is GDPR?

The General Data Protection Regulations are very similar to the current DPA, so if you comply with that already, you have a great basis for GDPR.

In short, GDPR is a set of regulations intended to tighten up the data that companies hold on individuals, give those individuals more rights regarding that data, and means more accountability for the data controller. GDPR of course relates to data such as customer and marketing information, but this guide focuses on an employer’s duties, and employee (and applicant) rights.

GDPR comes into force on 25^th May 2018.

Definitions:

Data in this case means personal data relating to an identifiable individual.

For HR this includes all information held on the personnel file, HR e-Systems, emails and other monitoring information collected; even for example CCTV records and clocking-in records.

Processing means collection, storage, use, alteration, disclosure and destruction of data.

The Data Controller is you, as the employer.

Action: Check ICO resources for more information at ico.org.

What’s New in GDPR?

‘Data protection by design and default’ is new terminology and an overarching principle. Simply put, it means that data collected, processed, stored and accessed should be restricted to the minimum for each specified purpose. Data should only be kept for as long as necessary. Delete any out of date or unnecessary info.

Enhanced individual rights come into force:

Individuals have the right to be informed of how their data will be used. They can access, rectify, erase and object to data being held or processed. They also have the new right of portability, that is, the data can be transferred to another organisation on request.

What if the employee complains?

You will not be able to process data until you can show that the legitimate interest or legal basis outweighs the interests or rights of the employee.

What if an employee makes a Subject Access Request (SAR)?

Any data you hold on paper or electronically should be available to the individual, free of charge, in a commonly used format, electronically and within one month. You can ask them for what categories of data they need, and an explanation of why, to narrow down what you need to provide. You can, however, refuse or charge an admin fee for an excessive request(s).

Action: review policy and process docs relating to SARs

A ‘legal basis’ is needed to justify the processing of each data category. A legal basis can be a statutory requirement, such as recording for tax purposes, necessary for a legal obligation, or for the performance of the contract, like paying the individual or ensuring work is performed. For much employee data, the legal basis will be a ‘legitimate interest’, for example capturing data to improve workforce performance or to respond to a dispute.

Action: Use the template below to record the legal basis for each of your data categories.

‘Consent’ has a new definition: it must be freely given, specific, informed and unambiguous. It cannot be a tick box, assumed by silence or inactivity, opt-out or tied up in other Ts and Cs. You will most likely have privacy statements in your documents relating to data you currently collect.

The information you need to provide to employees and applicants now is much enhanced. You should include in your privacy notices:

The name of the Data Controller (employer) and contact details
DPO contact details (if you have one)
The purpose of colleting the data, the legal bases and legitimate interests
Categories of data processed
Data recipients
Any transfer of data outside the EEA
The period of data storage
Rights of the data subjects
Consequences of the data subject failing to provide information that might be necessary to perform a contract
Any automated decision making or profiling (this can be absence management triggers, attendance, holidays etc.)

This privacy notice must be provided at the point of data collection, for example on the form you ask a new employee to fill in with their personal information or referee details.

Action: review how consent is given and the privacy notices your people sign.

Creating and keeping your schedule

Creating an internal record of your data processing will give you a basis for reviewing all of the data you hold, why, what you do with it, and for how long. This is the first step to complying with GDPR, this must be produced on request by the governing body. It will also help to locate data if you get a SAR, or request to otherwise process data at an individual’s request.

Your schedule is the Who, What, Why, Where and When of data, and there is an example register available at thehrdept.gi.

BY SYLVIA KENNA

Discovery of fragments of a Gorgoneion: a ceramic representation of the…

Statement from Minister for Health, Care and Justice, Neil Costa.

Closure of Airport Damaged Gibraltar’s Reputation

Gibraltar Autumn Cultural Programme: Full List of Events

Chief Minister to Receive La Linea Mayor and Apymell President at…

Startups For Scale Or Sale

Property Investment Abroad : Asturias

Whose Job Is It?

Corporate Structures and Startups

Beads For Life

A Zookeepers Diary September 2019

Driving Force: Jimmy Dalmedo

Climate Change: The Greenhouse Effect

Kitchen Studios Sexhibition

Worth The Wait

Gods On The Rock

Gibraltar Stories

Urban Eatery

Bonnie Scotland

Moroccan Meatballs In A Tomato Tagine Sauce

Setting Sail With The R.G.Y.C

Gibraltar Autumn Cultural Programme: Full List of Events

Government will send young Gibraltarians to Commonwealth Youth Parliament

Hello there: How do you Celebrate National Day?

September Issue 2019, Editor’s Note

Other Articles

Dancing Across The Med

SPORTS-TECH INNOVATION – What to expect in 2018

LEAPING FOR CHARITY

GCC Assesses Security Threat Level for Gibraltar

Social

Other Articles