In previous articles on the GDPR we have looked at the new rights for individuals and the obligations it places on the enterprises that hold personal data. In this article we briefly look at the implications on HR and how you manage staff and/or volunteer information.
This is a guest article by Tracey Barney MCIPD of Guildford HR.
The General Data Protection Regulations (GDPR) come into force May 2018, but all businesses and organisations need to act now. Small business owners, clubs and charities this does affect all of you. You may think because you do not have a consumer facing business that you are not affected, but you all hold and use personal sensitive data.
Even if you feel you comply with the current Data Protection Act 1998 (DPA), there are new rights for individuals and obligations to those who are holding or processing personal data. The eight DPA principles remain, but there are also new principles to be considered.
GDPR is an opportunity to strengthen your client(s)/customer(s) trust and confidence in your business.
What is new in HR terms?
- The right of access – individuals can ask for information, which needs to be provided as soon as possible, but within one month, the organisation can no longer charge a fee for this administrative task.
- The right of rectification – an individual can have inaccurate data corrected without delay.
- The right to be forgotten – the individual has the right to request that data is deleted or removed where there is no legitimate reason for it to remain. This leads organisations to need a policy for retention of data.
- The need to have a “lawful” reason for holding personal data. Gaining consent is one way but under the GDPR you need to “actively” gain consent – this means you will need to change the way you recruit and manage candidate data for employees, volunteers etc. If you have something in your contracts today it is unlikely to meet this obligation. You could also consider consider using another lawful basis for processing employee data, such as performance of an employment contract or the legitimate interest of the business. This needs some thought now as you will need to make changes and some of you may have a form of a candidate tracking systems (be it a simple spreadsheet or a system) that needs to be modified.
- Retention of data – you need to consider why you need that data; for example, after an employee leaves, a legitimate reason could be dates of employment for future references, or data for payment of a future pension.
- Where is your data held? – do third parties hold your data, pension providers, pay providers and accountants, you need to assess their processes and need to ensure that they are compliant with the new regulations. You are responsible for your employee’s data.
- The introduction of accountability – means that you need to demonstrate compliance with the GDPR principals.
- Data Breach notification requirements – dependent on the breach this will need to be reported within 72 hours of its discovery. Also, if it is sensitive personal data, it is likely you will need to advise the individual too.
Why act now?
It will take time to work through how you implement the new regulations, so you need to start now. As an addeded incentive, the fines and risk to reputation are significant and very real if you fail to comply.
Haslemere Chamber education event, 28 November 2017
Attend the Chamber’s GDPR education session at which the new terminology will be explained in plain English and you will be left with an action plan. Tracey Barney MCIPD will focus on the HR issues of the GDPR. She runs a growing HR business supporting SMEs and charities. Tracey knows your time is precious, and so is very keen that you leave the session with a practical action plan for your organisation. For further details on this event and to book your place, click HERE