GDPR and HR: What you need to know
The much anticipated General Data Protection Regulation (‘GDPR’) will come into force on 25 May 2018.
Employers and HR professionals will be particularly interested to know how the new regime affects the collection and processing of HR related data, especially considering the significant penalties that the GDPR will introduce.
Key areas of significant change are:
It will be harder for employers to justify processing employee personal data based on consent. The GDPR introduces prescriptive requirements for obtaining consent and employees must be able to withdraw consent at any time. Employers should therefore consider other legal grounds to process data for example, legitimate business interests, performance of the employment contract or compliance with a legal obligation.
The information which must be provided to staff and job applicants at the point which data is collected will be more detailed. This includes, non-exhaustively, how long data will be retained, whether data will be transferred overseas and the mechanism by which these individuals can make use of their data subject rights.
Enhanced rights for staff include, in certain circumstances, a new right to have data deleted and a right to have data rectified. Changes will also be made to data subject access requests, including a revised response time and the provision of more detailed information in response to a request. Employers should consider how these rights will be dealt with in practice.
A new mandatory breach reporting requirement will be introduced whereby breaches likely to pose any risk to the member of staff must be notified to the Information Commissioner within 72 hours. The member of staff will also have to be notified where the breach poses a high risk to their rights and freedoms. Employers should therefore develop a breach plan, enabling it to react promptly in the event of a breach.
If your organisation hasn’t yet started working on GDPR compliance, or if you are still in the process of finalising how your organisation should respond to this important piece of new legislation, there is still time. Contact us to seek expert legal advice if there are areas that you require assistance with.
This update is for general purposes and guidance only and does not constitute legal or professional advice. You should seek legal advice before relying on its content. This update relates to the prevailing circumstances at the date of its original publication and may not have been updated to reflect subsequent developments. If you have general queries about our updates, please email: firstname.lastname@example.org