By Kimberley Barrett-St Vall, employment and HR partner at Napthens Solicitors.
The EU’s General Data Protection Regulations will make changes to the Data Protection Act 1998. Breaching the GDPR can have significant fines of up to €20m euros or 4 per cent of the global turnover.
Businesses will benefit from adopting a holistic approach to GDPR compliance across their entire organisation, factoring in IT systems, cyber security, marketing as well as HR and employment law issues.
In this article I’m taking a closer look at the part HR will have to play in GDPR compliance:
Your business will be under an obligation under the GDPR to provide greater detail to candidates setting out:
- details of the data controller
- the category of data being processed
- the legal basis of processing
- the recipient
- the processor’s details
- if the data is to be transferred outside the EEA
- the consequences on the employee of not providing the information on the contract
If as part of your recruitment process your business uses any form of profiling, candidates must be made aware of this and its consequences.
Employers should only collect the minimum amount of information for a specific purpose and ensure the data is stored for no longer than necessary. Access should be restricted in consideration of what is necessary.
Processing Employee Data
It is common practice for employers to use the employee’s consent as the basis of processing personal data. Even prior to the GDPR this approach was criticised, as it is questionable whether consent can be given “freely in an informed fashion and specific and explicit”, given it is often conditional on the offer of employment.
Going forward you should rely on the legal basis for processing employee personal data. Businesses must ensure processing is based on one of the following:
- for compliance of a legal obligation e.g. payroll processing data to ensure the employee is paid
- for the performance of a contract e.g. processing data in the context of healthcare insurance provision
- based on a legitimate interest of the employer (or third party processor)
Data Subject Access Request
Post May 2018 there will be no fee to pay if employees make a data subject access request and requests must be dealt with in 30 days (currently 40). There is likely to be an increase in requests and it is important you understand how to handle these requests efficiently.
The GDPR is clear – it requires employers to demonstrate compliance. I suggest this involves more than a tickbox exercise and rather a change in culture with a commitment to embrace the GDPR. Given your Data Protection Officer cannot be everywhere at all times, cascading understanding and awareness through new policies and procedures and support through training for your employees will be vital.
Share this on social media