Part One: Our Guide to the GDPR Compliance / General Data Protection Regulation 2018
Are you GDPR compliant? For many businesses, the answer is probably ‘no’ – this is fine for now, as there’s still time. The General Data Protection Regulation (GDPR) deadline is 25 May 2018, and to become compliant, you will need to understand exactly what these new rules mean and how they will impact your business. This two-part blog article provides an overview of what you need to be aware of at this stage.
Are you a Data Controller or Data Processor?
A ‘data controller’ will determine the purpose and means of how data is processed, whilst a ‘data processor’ will process the personal data on behalf of the controller.
Have you identified whether you are a data controller (employer) or a data processor (outsourced services like HR and payroll), or perhaps you may even be both?
What does ‘Personal Data’ mean?
To comply with GDPR compliance (General Data Protection Regulation 2018) it is important to understand the definitions of the terms used.
Personal data defined in Article 4 of the GDPR is quite lengthy, in a nutshell, it means:
‘Any information relating to an identified or identifiable natural person (‘data subject’)’
‘Identifiable’ means a data subject (for example, this could be an employee or a person on a database) that can be identified either indirectly or directly by any means of an ‘identifier’.
Put simply, examples may include name, address, ID badge, swiping in badge, clock number or an IP address that you (as the employer) hold in relation to your employee. It also includes any expression of opinion and indication of the employer’s intentions in respect of the employee; this may include information in an email, document, certificate and report.
GDPR Principles of Processing Personal Data
Data processing and the rights of data subjects (for example – employees) must be considered throughout all processes and must be demonstrated in writing. Therefore, employers must embed privacy by design and default into the operational and strategic management of the business. Unlike the current Data Protection Act 1998, you will have to provide evidence of compliance, which is an extra burden to all Data Controllers and Data Processors.
Employers must put mechanisms in place to ensure only necessary personal data is processed for each specific task.
GDPR principles include:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality
For more detailed information on these principles, please visit: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/principles/
Data Processing – Personal Data
There are six lawful reasons for processing personal data:
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Data Processing – as an Employer
Employers are advised to move away from relying on consent to process employee data. This is because consent can be withdrawn by an employee, which may result in you not being able to efficiently manage that employee.
ACTION: Identify your legal basis for data processing
As an employer you are likely to rely on the following:
- Processing is necessary for the performance of a contract to which the data subject is party or to take steps to enter into a contract;
- Processing is necessary for compliance with a legal obligation to which the data controller is subject;
- Processing is necessary for the purposes of the legitimate interests* pursued by the data controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
*Employers will have to demonstrate (in writing) to show they have given proper consideration to the rights and freedoms of data subjects.
Personal Data – what do I need to consider?
To help you kickstart your thought process, we have listed the following considerations:
- Performance of a contract – you need employees’ bank details to be able to pay them.
- A legitimate interest – you may have next of kin details in case of an accident under Health & Safety obligations. Likewise, you may have similar personal details contained within a risk assessment form.
- Legal obligations – you will have a valid basis for processing employee data in respect of legal obligations imposed on you as an employer. This includes obligations under Health & Safety legislation, employment legislation and tax legislation.
In our next blog, we will be looking at the subject of consent in more detail, and we will recommend some vital next steps you need to consider when it comes to GDPR.
We will be posting part two of this blog in January 2018. In the meantime, if you need help with GDPR, we can offer on-site, hands-on support, documents and HR advice throughout the process. If you would like more information, or you would like to book either a consultancy day or a block of HR consultancy days, please contact us on 01455 231982 or complete our contact form.