GDPR and employee data - are your HR processes compliant?
Posted on 22nd March 2018 at 12:14
All the talk we’re currently hearing about the new EU General Data Protection Regulation (GDPR) is its impact on how we store and process customer data. However, when the GDPR takes effect on 25 May 2018, it’s not just customer data we need to consider. From that date, employees will have the same rights over their own personal data as customers do.
Any person – including employees - whose personal data you hold has the right to:
Access. There must be a Subject Access Request process so that employees may request a copy of their data.
Rectify incorrect personal data. Employees must have a facility to request that incorrect data is corrected.
Be forgotten. Employees may ask for personal data to be erased under certain circumstances.
Request their data be moved. Employees can request that their data be moved elsewhere and reused for their own purposes.
Object. Employees may be allowed to object to their personal data being processed in certain circumstances.
Restrict processing of their data. When processing is restricted, storage of the data is permitted, but further processing is not.
Not have their data used for automated decision making and profiling. Such processing must have specific consent, be necessary for the performance of a contract or must be authorised by law.
By 25 May 2018, employers are required to have policies and processes in place that satisfy the rights of employees. Those processes will also need to demonstrate compliance with the following data protection principles.
DATA PROTECTION PRINCIPLES
Personal data must be:
Processed fairly and lawfully. There must always be a lawful basis to process personal data. Employees must be told who controls the data, the purpose(s) for which it is being processed and to whom it may be disclosed.
Collected for specified, explicit and legitimate purposes. Personal data must not be collected for one purpose and then used for another. If an employer wants to change the way personal data is used, they must first tell the employees.
Adequate, relevant and limited to what is necessary. Data that is not necessary should not be requested or held.
Accurate and kept up to date. Regular checks must be made to correct or destroy inaccurate data.
Kept for no longer than is necessary. Data must be destroyed or deleted when it is no longer needed.
Processed in a manner that ensures appropriate security. Personal data must be kept securely and prevented from being accessed, lost, deleted or damaged unlawfully or without proper authorisation.
WHAT SHOULD EMPLOYERS BE DOING?
Employers must now review the ways in which they process employee data, the lawful basis for processing the data and how they collect and store that data. Now is the time to take action towards compliance with the new regulations.
Your next steps on the HR front should be:
1. Identify what personal data you hold on your employees/prospective employees.
2. Review employee data flows, where you hold employee data, how long you retain employee personal data for and whether you disclose any employee personal data to third parties.
3. Review current data protection policies and processes, including employment contracts and employee handbooks.
4. Where you have previously relied on consent from employees to store and process their data, you will need to identify an alternative legal basis for the processing of the data (e.g. processing is necessary for the contract of employment you have with the employee).
5. Update data protection policies and processes to comply with the new regulations. You will need to develop new processes by which:
employees can obtain access to their own personal data.
you ensure employee personal data remains accurate and up-to-date
you can provide employees with a copy of their data (held by you or by a third party on your behalf) in a structured, commonly used and machine-readable form.
an employee can request their data be erased, blocked or processing of it restricted (in certain circumstances).
you securely dispose of employee personal data at the appropriate time.
6. Create data privacy notices which will inform employees about all the aspects relating to the processing of their personal data.
At Plain Talking HR we are currently reviewing the data protection policies and procedures, employment contracts, employee handbooks and data privacy notices for our retained clients. As part of our consultancy agreement with those clients, we will be providing them a new set of employee documentation so that they can be confident, by following the new processes together with our advice and guidance, they comply with the new regulations from the HR perspective.
If you would like to find out more about your responsibilities as an employer under the new regulations, or would like help to create GDPR compliant policies, processes, employment contracts and employee handbooks, please contact us and we will be happy to discuss it with you.
Share this post: