Many organisations are currently preparing themselves for the General Data Protection Regulation. For many their initial focus for the forthcoming changes (May 2018) may be on their ‘day to day business’, but it is also important that their ‘day to day business’ includes their HR procedures. Consideration needs to be given to ensure their current procedures comply with the new Data Protection Regulations.
As before, organisations still have a right to obtain and hold personal data providing they adhere to the six data protection principles.
What is changing?
- The data protection principles essentially mirror the principles in the Data Protection Act
- How you make people aware of the information however is
- You must ensure that data you are asking for is ‘adequate, relevant and limited to what is necessary’.
- Employees have enhanced rights in respect of their personal data
Why is it changing?
- Possibly due to advances in technology including increasing number of cyber attacks
- In response to the fact that personal data can be quickly shared
- To give data subjects (i.e. staff) more control over their data
What does this actually mean for HR?
- All employees must give their consent to information being retained, unless another ground for processing their personal data can be established. Consent must be obtained in a plain language document that cannot be part of an employee’s terms and conditions. Consent also requires to be obtained by way of an affirmative action taken by the employee (opting out is no longer an option)
- The regulation will also apply to potential employees during the recruitment process. Consideration needs to be given to how that is communicated
- Individuals have a right to request that their data is deleted; this does not however provide an absolute right to be forgotten
- Audits will need to be carried out. You need to know what data you hold, where it comes from, what you do with it, where you keep it, who needs to know and what happens to it when it’s no longer needed. (Consideration needs to be given to HR teams and Managers, but may also apply to IT – are you confident that all of your data is secure?)
- Training will be critical to ensure your staff understand why changes are necessary
What happens if I do nothing?
- Compliance isn’t optional!
- Significant penalties can be applied for organisations breaching the GDPR, which comes into force on 25 May 2018
If you feel your organisation would benefit from further advice on the changes you need to make to become General Data Protection Regulation compliant; on your ‘day to day’ business elements and/or the HR areas, the GDPR team at TC Young can assist. Get in touch – it’s not as daunting as it first appears!