Will your HR department be GDPR compliant by 25 May?
In an effort to prepare our members for the new data protection regulation, we've reported on the changes through our various channels and have run a number of regional workshops. As a result, you may understand your responsibilities to protect your customer's data, but are you also aware of your Human Resources responsibility?
The General Data Protection Regulation (GDPR) will come into force on 25 May 2018 throughout the EU and will replace the Data Protection Directive, which is implemented in the UK through the Data Protection Act 1998. The implementation of this regulation will not be impacted by the UK's vote to leave the EU.
The GDPR will apply to ‘personal data', meaning information that relates to an identifiable person, and will include any information held in paper files or electronically, including information that may be held outside the EU (for example a HR database or outsourced payroll). The GDPR will regulate the ‘processing' of such data, including the collection, storage, use, alteration, disclosure and its destruction.
Companies will need to implement appropriate measures to ensure it complies with the GDPR and to ensure that only personal data necessary for each specific purpose is processed. This includes ensuring:
- Only the minimum amount of personal data is collected and processed for a specific purpose
- The extent of processing is limited to that necessary for each purpose
- Personal data is stored for no longer than necessary
- Access to the data is restricted to that necessary for each purpose
At the point of collecting data from employees or job applicants, employers will have to provide more detailed information about the processing of personal data than they do currently. Employers can use information notices, also known as ‘privacy notices' to provide the information. This will also apply where an employee wishes to process existing data for a new purpose.
One of the biggest changes will be the principle of accountability, and companies will have to demonstrate that they comply with the GDPR. This means that extensive internal records of data processing operations will need to be kept, and these will also have to be produced for inspection if requested. To assist with this compliance, employers should create a data register containing information about all personal data, which is collected and processed by the company.
The GDPR will also place much more stringent obligations on employers to ensure that they have the systems in place to respond to any ‘data subject access requests' received from employees. Whilst employees have the right under the current Data Protection Act to access information that is held by their employer in relation to them, the regulations have been fine-tuned by the GDPR to be more transparent and accessible.
This article highlights changes to the requirements for processing employee data under the GDPR, but members should be aware that the GDPR is complex and contains additional requirements and details that go beyond your employee data.
If you would like additional information on being GDPR compliant within your HR Department, please contact your Regional HR Business Partner or click here to access example HR documents which are GDPR compliant*.
*available to Gold and Platinum members
Need more information on GDPR? Then be sure to book yourself on one of our GDPR workshops, click here for moe information