On 25 May 2018 the General Data Protection Regulation (GDPR) comes into force and applies to any entity that handles personal data on EU citizens, including employee data. As the UK will soon introduce a new Data Protection Act which echoes the GDPR, Brexit will not mean your organisation should ignore the GDPR. Given the breadth of personal employee data which HR departments handle, it is imperative to get it right.
Rather than view GDPR as yet another legislative hoop to jump through, HR departments should use it as an opportunity to revisit existing data policies and procedures to check that they are fit for purpose.
Know your data
The starting point for GDPR compliance is knowing what data your organisation holds. Undertaking a data audit and mapping data flows across your organisation will not only help to increase awareness of where and how employee details are held, it could identify a more effective way of processing it. Remember to include contractors and agency staff – for example, you may need to consider how you receive and store CVs.
Do you know what data you currently retain and for how long?
The HR team should consider carefully how long it needs to retain any data – for example, are historic HR records for former employees needed for legal reasons? If data is no longer needed, it must be securely destroyed. Employers who have a high volume of seasonal employees, who they contact when needed, may need to consider how they retain this data.
Don’t just rely on consent as the legal basis for processing employee data
Under GDPR, while consent is still a legal basis for processing data, the thrust of the new regime is that consent should not necessarily be the first option. Within an employment law context, it would be more appropriate to rely on other lawful purposes for processing, such as it being necessary for the performance of the employment contract, or necessary for the purposes of the organisation’s legitimate interests – these do not override the freedoms of the data subject. For example, the employee’s rights would not be overridden by payroll being processed by a third party.
Update your privacy notice
To ensure GDPR compliance, an organisation should have a clearly worded data protection and privacy notice. This enables people to understand the personal data (information) held about employees, workers and job applicants as well as:
- How data will be collected and stored
- How the organisation will use the data and if information is to be shared during employment and after the employment ends
- How long the information will be held for
- The rights of data subjects (see below)
- Details of the right to complain to the regulator (the ICO).
Understand data subject rights
An employee (or data subject) has nine rights under the GDPR, including the right to access the data held by the organisation and to ascertain who this information is shared with. HR departments should prepare for being able to respond to such requests without undue delay, and within the new 30 day period, although this period maybe be extended for a further two months where providing a response is particularly complex.
Ensuring data is kept up to date in the case of a subject access request will be critical, particularly for those employers who outsource some services or enable employees to update personal data remotely.
The new regulations also give employees the right to have incorrect or irrelevant data deleted and errors corrected. When they leave they can request to be ‘forgotten’ officially, although there may still be data which the former employer is permitted to retain (for example, to defend any legal proceedings).
Do you share employees’ data with a third party?
Many smaller organisations outsource payroll and most will share employee data with a pensions or other benefit provider. Do you know how they are handling your employees’ data – is it transferred securely? Under GDPR it would be prudent to review the contracts that you have in place and ensure that your employees also know how and why you share their data with the third party. Such contracts should be carefully reviewed, as third party data processors may seek to impose unreasonable conditions on the employer or limit their own liability.