In May 2018 GDPR changed data protection regs almost beyond recognition. Clearly myHRdept handles client’s Personal Data (data identifying an individual) and sometimes Sensitive Personal Data. Readying ourselves for the new regulations was a herculean task and one we enjoyed not one bit. What we did do however was take a close look at what Personal Data we process and store and we introduced some new and sensible controls. To read more about GDPR and data protection, have a look at our 2018 article here.
In the course of employing people most businesses will accumulate a fair amount of Personal Data relating to employees and applicants. Personal Data (data which identifies a person e.g. name, address, NI numbers etc.) must be processed in accordance with the new data protection regulations. These require employers to nominate a person to be responsible for data regulations adherence in the organisation and require in some cases express consent from ‘Data Subjects’ (aka…people…) to use their data for defined (and lawful) purposes. Through completing a Data Impact Assessment organisations must be able to show what data they store, why, what risks exist and what measures they have taken to reduce those risks and to avoid data loss or unauthorised disclosure. Our article goes into more detail on the policy and the various schedules, and we’re happy to share all of these with our retained clients. We’ll re-visit these documents in a year or so to assess how effectively we’ve actually implemented the regulations.
For the sake of summary purposes, some of the more important changes from the 2018 GDPR regulations (clearly this is very much a headline summary) are:
- Implied or forced consent is no longer sufficient and so the old contractual terms stating that an employee consents to their data being used for whatever reasonable purpose no longer applies. In practice most organisations now require employees to sign a data protection policy or a privacy statement which sets out what data is stored, why, what security measures are in place, when consent is needed and when it isn’t and what rights the employees have under the regulations.
- Employees ‘rights’ include the right to be forgotten, the right to access Personal Data relating to them (the old £10 fee has been scrapped) and the right to order corrections. Clearly employees also have a right to expect that their employer takes adequate security measures to protect their Personal Data and to state how long particular data will be kept (e.g. payroll records for 7 years, identity documents for 2 years etc.)
- Data should not be transferred outside of the EEA.
- Where third parties process Personal Data an agreement between the employer and that third party should be in place.
- Data breaches must be reported to the ICO.
- The ICO can impose fines for breach of up to 2% of annual turnover capped at 10 million euros.
You can read more about GDPR data breaches by visiting the ICO website, this link takes you to the at a glance page.
The obvious implication is a potential 10 million euro fine, but that small matter aside the major risks arise from improperly secured Personal Data, inadequate firewalls, passwords and virus protection. Employees have long been allowed to have access to information that identifies them and loose emails can be significant in tribunal proceedings. Emails to and from myHRdept once litigation appears possible will generally be protected by ‘litigation privilege’ but earlier emails and internal emails will not. We normally suggest a name free protocol when handling cases and an early check of all emails to assess whether there are any unhelpful emails in the Company – an employer is free to irretrievably delete emails right up until the point a disclosure request is received from the employee, but at and after that point any deletions will be unlawful.
Help & Support