How GDPR Compliant Is Your Organisation’s HR Data?

The main principle behind the new General Data Protection Regulation (GDPR) coming into effect on 25 May 2018 is to protect people from having unnecessary data stored about them, and for too long. In fact, there are seven main principles that you will need to keep in mind when processing personal data, being:

  1. Lawfulness, fairness and transparency – you will no longer be able to charge a fee when you receive a request for data held, and it must be provided within a month
  2. Purpose limitation – data must only be collected for specified, explicit and legitimate purposes
  3. Data minimisation – it must be adequate, relevant and limited to the purposes required
  4. Accuracy – every reasonable step must be taken to ensure that inaccurate personal data is erased or rectified, without delay
  5. Storage limitation – personal data should not be kept for anything other than the purposes for which it is being processed, or for longer than necessary
  6. Integrity and confidentiality – data must be processed using appropriate technical or organisational measures to ensure its security
  7. Accountability – you will need an officer or someone in your organisation to be responsible for, and able to demonstrate, compliance with these principles

Conduct an audit now!

It’s important that an audit is carried out as soon as possible prior to 25 May 2018. When preparing for GDPR, it may be necessary for various departments – IT, Legal, HR and Compliance – to collaborate, ensuring that data security is robust.

  • The audit needs to assess current HR data and related processing activities to identify any gaps with the GDPR.
  • Assess the legal ramifications on processing personal data. Although consent is currently necessary, it may not meet the more stringent GDPR requirements. Keep in mind that consent may be revoked at any time. You may need to rely on other legal grounds to continue to process employee personal data, but if it can’t be justified you must cease those processing activities.
  • If your business is in an industry that’s highly regulated, you may be able to rely on compliance with a legal obligation as a basis for processing certain employee data. For example, some financial services employers need to provide and update regulatory references for staff for up to six years after the end of employment. Or if you operate in a safety critical environment, you could rely on health and safety risks to justify more intrusive processing of employee data to establish fitness to work, for example.
  • Review or implement documentation. This information must be written in a way that is easy for employees and job applicants to understand, and should include three key documents:
    • Data Protection Policy
    • Privacy notices for employees and job applicants
    • Data Processing Consent documents as signed by your employees
  • To maintain the GDPR principle of data minimisation, you will need to delete data once it is no longer necessary. For this reason, as well as the rights of ex-employees and other data subjects requiring erasure or the restricting of data processing, consider the retention periods of your HR personal data. If you already have a data retention policy, check whether the existing retention periods for HR data can still be justified. You must pay particular attention to matters such as disciplinary warnings, and data retained after the end of employment.
  • Data breaches will need to be reported to the data authority within 72 hours of the breach occurring, so ensure a strict procedure is put in place. Allocate responsibility to certain people to investigate and contain a breach, and to make a report. Train employees to recognise and address data breaches, and put appropriate policies and procedures in place.
  • You may need to appoint a data protection officer, either through recruitment or by training an existing staff member. They will be the accountable person and will liaise with the data protection authority.

The Information Commissioners Office (ICO) recommends 12 steps that you should take now, which you can access here. Or speak to me – I will be delighted to help you make sense of the new GDPR and how its principles should be applied to your organisation.

Helping You 

If you need help becoming GDPR compliant, I can provide your business with the documents that you need, which are:

  1. Job applicant privacy notice
  2. GDPR compliant data protection policy
  3. Employee privacy notice
  4. Form to make a subject access request

I can also offer an audit to assess compliance and the actions required and deliver training for your employees, either face to face or by webinar. Get in touch if you need any of these documents or some training. Call me on 0118 940 3032 or click here to email me.