In some circles, it has been difficult to escape mention of the GDPR, coming into force in May 2018. Whilst much of the focus has been on the personal data held on consumers, employers will need to carefully consider how they hold and process personal data in respect of employees, workers and contractors and how they can continue to be compliant with Data Protection regulations after May 2018. GDPR is here to stay even after we leave the EU.
Much of the publicity around GDPR has concentrated on the sanctions for non-compliance, which include fines of up to €20 million or 4% of an organisation’s annual worldwide turnover.
The key change for employers is that they will no longer be able to rely on data protection clauses in contracts of employment providing consent for the holding and processing of personal data. Instead, employers should consider what lawful purpose justifies the retention and processing of personal data (such as the need to pay the employee and make deductions for tax, national insurance and pension contributions).
Employers are likely to hold and process special category personal information, in respect of racial or ethnic origin, religious belief and sexual orientation for equal opportunities monitoring and in respect of the employee’s health for the purpose of administering sick pay, ensuring health and safety or making reasonable adjustments for disabled staff. Equal opportunities monitoring is explicitly considered a lawful reason to justify the holding and processing of such special category personal information.
It is important therefore to make sure to issue a Data Protection Notice to all staff, whether they are employees, workers or contractors. It should detail the personal data (including special category information) held about staff, how it will be processed and the lawful purpose of so doing. It should be clear whether that data will be shared with third parties (such as payroll companies or other companies in the group) and whether it will be transferred outside the EU.
It is also likely that employers will hold and process personal data about job applicants. They too should be sent a Data Protection Notice, perhaps with the acknowledgement of their application.
GDPR also requires data controllers to consider for how long it is really necessary to hold personal data. Employers will need to put in place systems to ensure that information is deleted when it is no longer needed. Details of for how long data is retained should be included in the Data Protection Notice.
Another key change is to subject access requests, which must now be supplied within one month and without charge (unless the request is unfounded or excessive). The right to make a subject access request should be detailed in the Data Protection Notice.
On other point to note is that GDPR will require employers to report any personal data breach to the Information Commissioner (within 72 hours of discovery). A high risk breach should also be notified to those concerned directly.
If you have any questions about the steps needed to make your HR practices GDPR compliant or need help drafting a Data Protection Notice, contact Louise Taft on 020 7935 3522 or firstname.lastname@example.org
Whatever your personal circumstances the above is only a guide and we would advise you to contact us to obtain definitive advice as you will appreciate that each person’s circumstances are unique to them.