What you need to know about GDPR and HR.
Oh yes, it’s another GDPR blog. Because let’s face it, now that the countdown is at just one month, it’s the only question on a lot of business owners minds. Many companies are focussing all of their efforts on their external data – the information they hold on their clients, their partners and their suppliers. But one of the things a lot of businesses are missing is the handling of internal personal data. You see, GDPR isn’t just about your customers and their data. It’s also about the data you hold on your employees.
Employee Rights Under GDPR
GDPR is changing a lot of things around individual rights when it comes to data. That isn’t just on the customer side either – it applies to employees too. Under GPDR, employees will have greater rights. The good news is that most of these rights are the same as they were under The Data Protection Act 1998. But there are a few new rights that have been introduced, and there are some pretty hefty fines if they are violated. To give you an idea, employees as data subjects will have the following rights under GDPR:
The right to be informed, which encompasses the obligation on employers to provide transparency as to how personal data will be used;
The right of access, similar to those rights under the DPA and encompassing the ever-popular subject access request; The right to rectification of data that is inaccurate or incomplete (again similar to the DPA);
The right to be forgotten under certain circumstances;
The right to block or suppress processing of personal data (similar to the DPA); and The new right to data portability which allows employees to obtain and reuse their personal data for their own purposes across different services under certain circumstances.
Do I Have To Get An Employees Consent To Retain Personal Data?
GDPR’s main focus is all around consent – the idea that someone has to give you express permission to gather and use their information. Fair enough! But when it comes to employees giving consent for their data to be used by employers, the lines get a bit blurry. You see, employee consent is generally not considered to be “freely given” because there is a pretty big power imbalance there. After all, if an employee refuses consent, they may be worried about their employment from then on. So instead, employers are allowed to hold and process employee data on the basis that it’s necessary under their employment contract, as long as they don’t hold on to it for longer than needed.
Think About The Data You Collect In HR
From the moment a candidate first makes contact with your business through to when they leave your company, you will be collecting masses of data on them. Under GDPR, they could request to see any and all of at any time, or ask for it to be destroyed. This is something that often won’t occur to you until you need to do it, which can make it more difficult to handle. So here are a few scenarios you might want to prepare for:
Recruitment – There is a huge amount of personal data collected during the recruitment process – probably more than at any other time when an employee is with you. Between CV’s, portfolios, application forms, references and any other interview processes your business goes through, it’s a lot of information. So what is your policy for processing that? How do you prove that consent was given for it? How long do you keep it for, and how do you dispose of it? If a candidate isn’t hired, what do you do with their data then? This might be the most time and data intensive part of the HR function in recruitment, so you need to have a solid data management policy in place.
Payroll – Here’s where it gets complicated. GDPR gives employees the right to have their personal data removed at any time. But there are other laws that mean businesses have to keep certain data – like financial information, which has to be kept for 7 years. So what happens when an employee asks to have their payroll data removed when they leave? There are ways to make sure you’re complying with both regulations, but it’s not a simple fix!
Expenses, Travel, Medical Info – It’s important to remember that GDPR will affect any and all internal systems that process employee’s personal data. That’s everything from expenses claims and travel records to medical information. Can you be sure that all of that information is safe and secure?
Of course, that’s not all. There are so many other elements of the employee lifecycle that you will need to consider. If your business doesn’t have an internal HR department to handle this, then it can be difficult to stay on top of everything. At AJ HR Solutions, we are on hand to help with your HR questions and get you ready for GPDR. For more information, just get in touch with us to book your free, no-obligation consultation.
