Critical Data Protection Update for Employers: How GDPR Effects Your Business
BlogBusiness EvolutionHR Advice Posted: Monday 9th October 2017 by
In less than 88 days, the biggest overhaul of data protection law in last 20 years (GDPR) comes in to play.
GDPR will impact heavily on HR departments who routinely process employee’s personally identifiable information, including (what will be known as) ‘special’ data, such as that relating to the employee’s race/ethnicity, membership of a trade union, sexuality, and physical or mental health etc.
As from 25th May 2018, processing of special data is prohibited unless a legal basis for processing can be justified by the employer.
The three grounds likely to be relied upon by HR professionals are:
a) the employee explicitly consents to the processing of their data (this is potentially problematic)
b) processing is necessary to carry out employer obligations/ rights under employment law, and,
c) it is processed in connection with occupational health.
However, in order for an employer to be able to rely on the grounds of points b and c above, they must have an appropriate policy in place.
The policy needs to set out how the employer proposes to meet the (soon to be) six data protection principles in relation to the processing of the employee special data, and also the company’s approach to retention/erasure of the employee information and the period of time it is proposed to retain the information.
Simply put: No policy. No processing!
Based on the grounds of consent (point a, above) employers are advised not to continue (if they do so now) to rely on this as a legal basis for the lawful processing of employee information. This is because the employer/employee relationship is typically unequal and, to be valid, consent has to be freely given. It is recommended that employers look to rely on the conditions of points b or c, above.
This means that there will be a greater focus on transparency. Employers will need to provide more information to employees as to why their information is being collected and who it might be shared with.
There is also a greater focus on individual (employee) rights regarding their personal information. Employers will be required to inform employees of their rights, such as the right to access their information, to have it rectified if incorrect, the right to have it erased, the right to restrict processing, together with the right to complain to the Information Commissioner if unhappy about the way their information has been processed.
Finally, many organisations outsource the processing of employee personal information. The need for a written contract setting out the obligations of the processor remains, but there are new requirements such as the need for employees of the processor to commit themselves to confidentiality; that there should be no further sub-processing without the controller’s consent and to dispose of, or return the personal data to the controller at the end of the provision of the processing service.
This guest post was provided by David Campbell of DPA/OK. If you require a review of your current level of compliance with GDPR, assistance with the drafting of policies/procedures or contracts with data processors then contact a specialist at Human Results, in confidence.