Time to look at your HR policies

By Kimberley Barrett-St Vall, employment and HR partner at Napthens Solicitors.

The EU’s General Data Protection Regulations will make changes to the Data Protection Act 1998. Breaching the GDPR can have significant fines of up to €20m euros or 4 per cent of the global turnover.

Businesses will benefit from adopting a holistic approach to GDPR compliance across their entire organisation, factoring in IT systems, cyber security, marketing as well as HR and employment law issues.

In this article I’m taking a closer look at the part HR will have to play in GDPR compliance:

Recruitment

Your business will be under an obligation under the GDPR to provide greater detail to candidates setting out:

details of the data controller
the category of data being processed
the legal basis of processing
the recipient
the processor’s details
if the data is to be transferred outside the EEA
the consequences on the employee of not providing the information on the contract

If as part of your recruitment process your business uses any form of profiling, candidates must be made aware of this and its consequences.

Employers should only collect the minimum amount of information for a specific purpose and ensure the data is stored for no longer than necessary. Access should be restricted in consideration of what is necessary.

Processing Employee Data

It is common practice for employers to use the employee’s consent as the basis of processing personal data. Even prior to the GDPR this approach was criticised, as it is questionable whether consent can be given “freely in an informed fashion and specific and explicit”, given it is often conditional on the offer of employment.

Going forward you should rely on the legal basis for processing employee personal data. Businesses must ensure processing is based on one of the following:

for compliance of a legal obligation e.g. payroll processing data to ensure the employee is paid
for the performance of a contract e.g. processing data in the context of healthcare insurance provision
based on a legitimate interest of the employer (or third party processor)

Data Subject Access Request

Post May 2018 there will be no fee to pay if employees make a data subject access request and requests must be dealt with in 30 days (currently 40). There is likely to be an increase in requests and it is important you understand how to handle these requests efficiently. The GDPR is clear - it requires employers to demonstrate compliance. I suggest this involves more than a tickbox exercise and rather a change in culture with a commitment to embrace the GDPR. Given your Data Protection Officer cannot be everywhere at all times, cascading understanding and awareness through new policies and procedures and support through training for your employees will be vital.