GDPR for Employers
On 25 May 2018 the law will change about processing personal data when the Data Protection Act 2018 and the EU General Data Protection Regulation (‘ GDPR ’) come into effect. Brexit will not stop GDPR coming into effect.
How will GDPR affect my business?
GDPR will affect any areas of a business that process personal data including data about customers, suppliers and website users as well as data held about employees, workers and consultants.
The Information Commissioner’s Office (ICO) regulates the use of personal data currently under the Data Protection Act 1998. Although the fines for a breach of data security are significant the ICO will in the first instance encourage businesses to resolve any issues. They have issued a 12 Step Guide to preparing for GDPR together with a Data protection self assessment toolkit.
Data Protection Principles
The new legislation sets out various data protection principles that businesses must comply with when processing personal data:-
- Personal data must be processed lawfully, fairly and in a transparent way
- Personal data must only be collected for specified legitimate purposes and processed for those purposes only
- Personal data must be limited to what is necessary for the purposes for which it is processed.
- The personal data must be accurate and kept up to date; inaccurate data must be removed quickly or corrected
- Personal data must not be kept for longer than necessary for its purpose
- It should be destroyed securely and confidentially to ensure it is not lost, damaged or destroyed.
Lawful reasons for processing personal data
Businesses will only be able to process personal data where they have a lawful reason for doing so:-
- By express consent of the data subject given freely, be specific, informed and unambiguous;
- For the performance of a contract including a contract of employment;
- For compliance with any legal obligations such as to HMRC for PAYE purposes or where disclosure is required in employment tribunal proceedings or court action;
- To protect the vital interests of the data subject or a third party;
- If it is in the public interest; or
- For the legitimate interests of the business.
What should you do next?
As an employer you will need to carry out a data mapping exercise to establish what personal data you hold and why. There is likely to be a lot of data from a variety of sources, held for a number of reasons so will take some time. Once you have completed this exercise you will be able to establish which of the lawful reasons apply. You must then communicate all this information to your employees together with their rights in respect of any personal data processing. It is important that you get this right from the start as any changes will have to be notified to the employee before there are any changes to the way or the reasons for their personal data being processed.
How can we help you?
As HR specialists we can offer help and guidance to you while you carry out your data mapping exercise. We can also supply you with a bespoke Data Protection Policy setting out the information you need to give your employees under GDPR.
If you would like further details about our Policy then please phone us on 07854140504 or email firstname.lastname@example.org