The EU wide General Data Protection Regulation (GDPR) becomes law in the UK on 25 May 2018. This has an impact on any employers in the UK that process personal data.
‘Personal data’ is any information that enables an individual to be identified.
‘Processing’ includes everyday use of that data to manage employees such as keeping their contact details and using their information to pay their wages.
This guide aims to provide awareness of the changes in the law and how this impacts upon how you use, store and retain data in respect to your employees.
Businesses are advised to also consider what other personal data they process and control. They should conduct a data audit and have regard for the requirements of GDPR. This document only covers how GDPR applies to the HR aspect of your business.
For employers the key issues to focus on are:
You must formally advise all employees (and applicants during the recruitment process) about how the personal data you hold about them is used, shared and retained. The notice needs to state what information you have, why you have it and what you use it for.
Where you share employee’s personal data with any other party, you must ensure it is made clear to the employee in the Privacy Notice.
You must have a legal reason for processing personal data and state what that is in the Privacy Notice.
The Privacy notice must be issued to all employees either individually or it can be included in your Employee Handbook.
New rights for employees
- Subject Access Request – Employees have always had the right to request details of the personal data you have about them. In future you must provide the information they want within 30 days.
- Right to rectification – Employees can ask for errors in the personal data you have to be corrected.
- Right to be forgotten – In some cases employees can ask for a personal data record to be removed. The employer needs to be able to evidence that the data has been removed.
In anticipation of these changes Opsium have prepared a template Privacy Notice document for our clients to use for this purpose and it has also been included in the up to date handbook.
If there is a data breach, meaning someone who shouldn’t have has seen or is in possession of the data, it is mandatory that you report it to the Information Commissioners Office (ICO), within 72 hours of the breach. They can be reached on 0303 123 1113.
Penalties for breaches
A breach could result in a fine for the employer.
Registration with the Information Commissioners Office (ICO)
You do not need to officially register with the ICO as a data processor if you are only using personal data for Staff Administration. However, you must still comply with all data protection obligations.
If your business is processing personal data for other reasons not connected with Staff Administration, the position may differ and you should take further advice.
Record of Data Processing
You should consider whether to conduct a data processing audit and record in a formal Record of Data Processing document how you manage personal data. Generally small employers are not required to create a Record of Processing document. However your business may be required to hold a Record of Processing document in respect to your other activity when processing personal data. The ICO website indicates that:
There is a limited exemption for small and medium-sized organisations. If you have less than 250 employees, you only need to document processing activities that:
- are not occasional; or
- could result in a risk to the rights and freedoms of individuals; or
- involve the processing of special categories of data or criminal conviction and offence data.
Opsium have prepared a template Record of Data Processing Activity document for employers to use for this purpose. However this template is a starting point and will need to be edited to fully reflect the data processing activity of your business.
Data Protection Officer
Some organisations may be required to appoint a data protection officer (DPO). However it is unlikely this requirement will apply to an employer with less than 250 staff, unless they are using personal data on a larger scale or processing special categories of data.
The ICO website states:
Under the GDPR, you must appoint a DPO if you:
- are a public authority (except for courts acting in their judicial capacity);
- carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
- carry out large scale processing of special categories of data or data relating to criminal convictions and offences.
The Government has confirmed that GDPR rules will apply post Brexit.
How can Opsium help?
We are available to provide advice to clients on how to ensure they are compliant with GDPR from an HR perspective.
If you would like more information on how to become an Opsium client, please call our team on 0161 603 2156.