Part Two: Our Guide to the General Data Protection Regulation 2018
The General Data Protection Regulation 2018 (GDPR) comes into force on 25 May 2018, so if you haven’t already started, now is the time to take action. In part one of our GDPR blog, we explored the new data protection rules and the different roles involved, i.e. Data Controller and Data Processor. For more detailed information on these principles, please visit: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/principles/
In the second part of our blog, we look at the subject of employee data consent and what you need to be aware of as an employer, as well as sharing some vital next steps for your business.
Why is Consent so important?
GDPR has been created to protect the data rights of the individual. This means that the way in which you gain an employee’s consent needs to become a key part of your business processes. In our previous blog, we looked at the principles of processing Personal Data and the mechanisms required to ensure compliance. So, what are the rules around consent?
Consent and your Employees
Employees are considered “data subjects” and have the right to withdraw consent; this process must be as easy as it was for the employee to initially give their consent. When an employee provides their consent, it must be given freely, be specific, informed and unambiguous. You will no longer be able to rely on the employee’s consent contained within their employment contract. You will still require some contractual reference to data processing in respect of the obligations placed onto the employee during the course of their employment.
Consider you have an awkward employee who is in the middle of a formal procedure. This could be a disciplinary or a performance process. What happens if that employee refuses to allow you to continue processing their personal data? The simple answer is that you cannot proceed with the process resulting in an inefficiency to manage your employee. You would need a legitimate interest as a legal basis to process the data.
How do you manage Consent during formal procedures?
In a formal procedure, you would have a legitimate interest to process the employee data, i.e. to protect your business. Furthermore, it would be reasonable for the employee to be aware of this because of the implied trust and confidence within an employment contract to support your legitimate interest. Your policies and procedures should identify the standards of conduct required by employees. Therefore, you would keep the data for a period of time determined by the business (and documented) for the purpose of being able to defend any employment tribunal claims brought by the employee.
5 Vital Next Steps for GDPR Compliance
If you haven’t already started to work on GDPR compliance, you need to make this a top priority. Although this blog focuses on employees (as we are an outsourced HR provider), you will also need to be compliant with any third parties you work with, i.e. outsourced marketing services, as well as e-commerce and your customer data.
So, from an employment point of view, here’s what you should be doing right now:
1. Conduct a HR audit
You will need to identify all the data that comes into and leaves the business. This must start before a data subject even becomes an employee (at the recruitment stage). You will need to know if the data subject (candidate or employee) provides the information about themselves, or identify where the information came from.
Your managers will have to map the data flow both into and out of their departments. This data map will contribute to the overall picture, which you will have to identify and analyse.
The purpose of the HR audit is to identify where you are compliant and where you are falling short of requirements, so you can take the next step in the GDPR compliance process. At Jude Read HR, we have a useful spreadsheet, which we can provide to employers for this purpose.
For your HR audit data mapping exercise, here are some areas for you to consider:
- IT systems, servers, back-up, emails, inbox, deleted folder, hard and soft copies of data, shared drives, trash folders on the desktops, portable storage devices, the cloud and how long the data is retained in your IT systems.
- Mobile devices, laptops, phones, tablets, GPS trackers and CCTV.
- Third parties – how is data passed to them? How do they process data? Who has access to this data?
2. Identify your third-party suppliers
You will need to identify your third-party suppliers and how data flows into and out of their businesses, as security is a crucial part of the compliance process.
Third-party suppliers may cover the following:
- HR and Payroll including HR software
- Insurance, Pensions and companies offering employee benefits/perks
- Employee assistance helplines
You will also need to know if your third-party suppliers use sub-processors, as this will form part of your compliance process. You will need to review all the contracts you have in place with your third-party suppliers and implement contracts that meet GDPR requirements.
3. GDPR Principles and legal bases
When you know the lifecycle of the data into and out of your business, you can start to focus on the principles of GDPR and identify your legal bases for processing the data.
4. GDPR documents
You will need to create, or update, your policies, procedures, forms, assessments and registers. This will include documents such as:
- a data subject access request form (DSAR)
- details of your legitimate interests and you will have to demonstrate that you have considered the fundamental rights and freedoms of the data subjects
- a privacy impact assessment form for when processing is likely to result in a high risk to data subjects
- Updated data protection policy
- Clear desk and clear screen policy
- Record of processing activities – whilst not required by the new regulation for companies under 250 employees, it is ambiguous in respect of the wording ‘processing is not occasional’
- Breach process
5. Employee and Management – GDPR Training
It’s essential that your employees and your managers are fully trained in GDPR, and always make a record of any training sessions to safeguard against any issues in the future.
We hope you’ve found our two-part GDPR blog useful. We have only provided a brief overview, but we hope you can see why General Data Protection Regulation 2018 needs to be a top priority for your business. If you have any queries relating to your data processes and procedures, we offer on-site, hands-on support, documents and ongoing HR advice. We can support your business through the entire GDPR process.
For more information on our HR consultancy services or HR Retained Support, please contact us on 01455 231982 or complete our contact form.