With mere days left to go until the implementation of the General Data Protection Regulation (GDPR) on 25 May 2018, it is time to get your HR practices GDPR ready!
GDPR replaces the Data Protection Act 1998 (DPA) and introduces broad changes to data protection laws across Europe. The DPA was implemented at the time when ‘wireless’ still meant radio, when the Spice Girls were on their first time around and when we stored data on floppy discs. It’s fair to say it has become outdated in relation to our digital and constantly connected world.
GDPR for employers
GDPR governs the way that personal data is stored, controlled, processed, shared and destroyed. Although the concepts of ‘data subject’, ‘personal data’, ‘data controller’ and ‘data processor’ remain broadly the same as under the DPA, there are some key changes for employers in relation to recruitment and HR data.
It remains the case (as with the DPA) that employers must have a lawful basis for processing personal data. Historically for HR this has been: consent, contractual necessity, to comply with legal obligations and a legitimate interest of the controller. However, GDPR makes it clear that there are limits to consent; it can be withdrawn, it must be freely given and the consent must be specific and informed. For this reason, it is recommended that HR do not rely on consent. Instead, HR should look to the other lawful grounds for processing the data and explain that position to employees.
3 top tips
For many, the GDPR changes feel a bit overwhelming, but with a methodical approach, it is a task that employers can get to grips with. As a starting point we suggest the following three key steps:
1. Prepare an HR data map
This is a document that shows exactly what personal data is held on a granular basis (e.g. name, date of birth, address etc), where it is held, what happens to it, how long it is retained for, who is responsible for destroying the data etc. This should also consider the lawful basis for processing data, further details of which can be found on the ICO website
2. Create an Employee Privacy Notice
Once you have a data map, convert this into an easy to read ‘Employee Privacy Notice’. Which, once prepared, needs to be sent out to employees and made accessible to them for future use (such as in a staff handbook or on the intranet). Details about these notices can be found on the ICO website.
3. Tailor precedent employment contracts
Focusing on new starters, tailor precedent employment contracts, removing references to the employee giving consent to data processing. For existing employees, employment contracts can remain the same but you should make clear in the Employee Privacy Notice what lawful grounds for processing are relied upon. Where specific consent is required, such as to obtain medical records, ensure that the consent request is presented in clear documentation (separate from the employment contract) and the employee is fully informed of the reasons for the request.