Hallidays Accountants and Business advisors are helping fellow businesses to understand the impact GDPR will have in respect of personal data and their HR policies and have prepared a list of FAQs.
General Data Protection Regulation, GDPR, is the new data protection legislation effective from 25 May 2018 and will affect anyone and everyone who comes in touch with any form of personal data, both here in the UK and across the EU.
GDPR builds on the previous legislation but provides more protections for consumers, and more privacy considerations for organisations. It brings a more 21st century approach to the processing of personal data. Consumers and citizens have the right to be informed about how organisations use their personal data. They’ll have the right to request that personal data be deleted or removed if there’s no compelling reason for an organisation to carry on processing it.
The new GDPR legislation puts an onus on businesses to change their entire ethos to data protection. But what about the employee personal data that is held by comapnies across the UK? The message about GDPR is continuity and change; Hallidays FAQs include information that may be of particular relevance to HR departments and to those involved in the hiring, training and retaining of employees.
Who are ‘data subjects’?
The guidance on GDPR uses the term ‘data subject’. It includes data held for all employees and other workers such as casual and temporary staff, students, work experience students, interns, volunteers, agency workers, contractors, sub-contractors and self-employed consultants.
Do I need to make changes to employment contracts?
If, like most employers, your employment contracts contain express contractual clauses allowing you to process data then yes, you will need to make changes. This ‘express permission’ will no longer be sufficient. You will need to review, and revise your employment contracts for new staff and consider how best to obtain consent for existing employees.
Do employees have any special rights under GDPR?
Yes, they have a number of specific rights including having the right to:
- Be informed about processing
- Access data held about them
- Request rectification of data
- Request erasure of data
- Restrict processing
- Data portability
- Object to processing (if consent was being relied upon for processing, or on grounds related to an employee’s “particular situation” if “legitimate interests” were being relied upon); and
- Not be subjected to a decision as a result of automated decision making and profiling
Part of our recruitment processes include automated scoring. I understand that GDPR gives applicants special rights.
Yes. Applicants have the right to request that any test or recruitment score is reviewed, and subjects can ask for ‘human intervention’ to express their point of view and challenge any decision made.
You will need to revise any processes that include automated scoring and ensure you tell applicants of their rights.
Do we need to make changes to other HR processes that rely upon automated decision making?
Yes. Applicants and employees have the right not to be subject to a decision when it is based on automated processing if it produces a ‘legal effect’ or similarly ‘significant effect’ on the individual. If such a process applies, subjects must be able to obtain human intervention, express their point of view and challenge the decision.
This might apply for example, to the application of triggers for performance or absence management or scoring for redundancy selection or de-selection.
You should review, and amend any HR process that uses data and ensure that not only do you have appropriate consent to process this, but that any data you are basing decisions on, is accurate and up to date.
Employers would be wise to consider whether they need to introduce any further safeguards or consents.
We have undertaken an audit of all HR information retained – from data collected at the application stage, from payroll information to next of kin information etc. Have we missed anything?
HR has specific challenges as far as GDPR is concerned as much of the information collected will be unstructured in how it is stored (for example, emails about work matters might also contain personal data about employees) and this can be a considerable headache for employers when employees make requests under the data subject access provisions for access to data held about them.
In an employment context, data processed on employees can include pre-employment vetting, payroll, monitoring timekeeping and absence, personnel records, CCTV, computer access information, emails, phone records, appraisals, mileage information, tachograph information, door access records, expense claims etc.
Do we only need to be concerned about employee data once someone has joined our employment?
No, you need to treat any data collected during the employment process in the same way. You will need to draft a ‘GDPR – Fair Processing Notice’ to issue to all applicants for which you collect data. This needs to tell all applicants how long you will retain that data.
Expert Opinion contributed by Stockport based Hallidays