GDPR?

It stands for ‘General Data Protection Regulation’ and in essence it’s an extension of data protection laws that will hit us on 25th May 2018 – its impact will be on all of us, whether we be data controllers or data processors. Given that large fines tend to result from breaches of national legislation (in this case up to 4% of turnover), we’d better take notice.

It stands for ‘General Data Protection Regulation’ and in essence it’s an extension of data protection laws that will hit us on 25th May 2018 – its impact will be on all of us, whether we be data controllers or data processors. Given that large fines tend to result from breaches of national legislation (in this case up to 4% of turnover), we’d better take notice.

All employers will be ‘data controllers’ with respect to their employee’s personal information. When it comes to employee data a ‘data processor’ could be any organisation to whom you entrust your employee’s personal information in order to carry out a particular action or function – your payroll company, HR or legal advisors etc. GDPR places enhanced obligations on data controllers both in terms of their own treatment of an employee’s personal information and also to take reasonable steps to ensure that data processors are abiding by data protection laws too.

So, as an employer, and therefore a data controller, what will you need to do?

  1. Update (or ask myHRdept) to update your Data Protection policy to reflect the, now, 10 key principles (used to be 8)
  2. Create a list of all personal data you hold
    a. what is it?
    b. why do we have it/what’s it used for?
    c. where is it kept?
    I.) physical locations
    ii.) systems
    d. can data be corrected/erased/can a statement of it be printed if the employee requests it?
    e. how long is kept for?
    f. who has access to it?
    i. do third party processors have access? For what purpose?
    i.) if they do, do you know that each third party complies with GDPR?
    ii) you will need a current copy of their GDPR policy and a signed agreement with them (see 3b below)
  3. Establish data processing agreements:
    a. Between you and (each of) your employees
    b. Between you and third party data processors who use employee personal information
  4. If you have more than 250 employees, appoint a Data Protection Officer (and train them.) You should consider this too even if you don’t have 250.
  5. Establish a privacy statement, detailing how you will deal with data, who the responsible person is, how queries/concerns should be addressed (this needs to be readily available and linked from other texts, signature bars, job adverts etc.
  6. Establish a Data breach plan – what will you do if it transpires personal information has been inappropriately divulged – the new regulations are clear about it being mandatory to report to the regulator and within 72 hours of the breach. What will you do if it transpires personal information has been inappropriately divulged.

Fundamentally, what does GDPR change when it comes to data protection regulations?

  • Implied consent e.g. ‘opt in’ via employment contracts will no longer be permitted (see 3a)
  • Demonstrating compliance will be a legal requirement
  • Additional rights of the data subjects such as a ‘right to be forgotten’ meaning data subjects (e.g. employees) can request their details be erased
  • Privacy statements are required clearly outlining the rights
  • New rules for the transfer of data outside of the EEA
  • Changes to the current Subject access request timelines and costs
  • Penalties for non-compliance are far greater

Over the course of coming weeks and months we’ll develop template agreements and privacy statements etc. and share these with those of our clients who want them. I should stress though that GDPR is not limited to HR, neither are we positioning ourselves as GDPR advisors – like everyone else we’re trying to find our own way through the requirements and implications. Business owners and managers should obtain independent advice on the wider requirements of GDPR and would be well advised to train at least one employee to become a responsible person for data protection in the business (even if they don’t employ 250 people (the mandatory threshold for doing so.)

If you’re thinking of outsourcing your HR why not contact myhrdept.co.uk. With full service Premium Plus packages from only £140 per month (and start-up packages from just £80 per month) and fixed price HR support options available for one-off issues, we believe we offer the best combination of quality and price available in the UK. Call us on 01628 820515 to discuss your requirements contact us and we’ll call you back.

We use Cookies – by using this site or closing this message you’re agreeing to our Cookies Policy