Managing your Personnel Data & GDPR
The General Data Protection Regulation came into force on the 25th May 2018. As you know this is nothing new, there has been legislation in relation to the processing of personal data for 20 years. What is new are the severe penalties for non-compliance, stricter rules about consent (a general clause in a contract of employment is unlikely to be compliant) and a requirement to provide more information on the data that an employer holds and what they do with it.
For this article we are commenting on the Personnel Data that your organisation holds - not customer data.
Organisations can process personal data lawfully on a number of grounds, including:
-
To perform an employment contract e.g. to pay employees we will need to process personal data.
-
To comply with a legal requirement e.g. to check for the right to work in the UK.
-
To protect the employee’s vital interests e.g. information about a medical condition.
-
To carry out a task in the public interest e.g. equal opportunities monitoring.
-
To protect the legitimate interests of the employer, which would include making decisions about recruitment and promotion, training, pay and benefits, managing performance, conduct, attendance and leave, dealing with discipline and grievances, business planning and dealing with claims against the organisation.
Most of the processing that your HR team does will be covered by one of the above and consent is not required. If consent is required, it must be specific and explicit, not tied to anything else and can be refused or withdrawn.
So what do your HR teams need to do to ensure that they are ready for GDPR?
-
Conduct an audit of the personal data that you process and identify the legal basis for processing it.
-
If no legal basis exists, consider whether you require this data and if you do, obtain the employee’s consent to process the data.
-
Identify any data that is shared with a third party e.g. a payroll provider, and review your contracts with them to include an agreement on their obligations in relation to the processing of the data that you provide to them.
-
Review the existing security measures in place regarding the storing and sharing of personal data, for example, the use of password protection, locked cabinets and confidentiality in open plan offices.
-
Train all employees who handle personal data in the principles of data protection.
-
Produce a policy or privacy notice for employees which sets out the personal data that you process on them, the basis for processing and their rights in relation to their personal data such as subject access requests.
If you would like People Vision to give you some help with this - the audit or policy work just email admin@pvhr.com or call 03454599710 where we would be happy to help you.
Sian Hughes People Vision Employee Relations Lead Consultant