Contact Us: 01908 265111
Designed to strengthen the protection of personal information held by organisations, the new GDPR regulations come into full effect on 25th May 2018. Unlike the Data Protection Act, compliance with GDPR is mandatory and all organisations will therefore need to review the way they record and manage employee records.
The legislation focusses on all personal data collected or recorded by an organisation. This includes information relating to those who buy products and services (or interact with companies in some way), but GDPR also covers information about employees. A key stance taken by the legislation is that this information belongs to the individuals and not to the organisation.
There are a number of important principals detailed within GDPR. These are discussed in this article. HR officers and other who are responsible for HR records (and other employee-related data) will need a good understanding of GDPR. While it is not yet clear how some parts of GDPR will be implemented when the legislation is fully-introduced, most organisations are likely to have to look at the way they manage personal information to ensure GDPR compliance.
GDPR states that an organisation needs good reason to collect and record personal information, and it is the organisations responsibility to provide justification for the records they keep.
Some records are clearly very easy to justify, for example, details of next of kin are required if the employee has a problem at work and help is needed from a family member; details of holiday and absence are needed to enable staff to plan workloads and resourcing, and to ensure that employees are paid correctly.
Other records may be more difficult to justify. Once GDPR is in place, organisations will certainly need to consider the type of employee-related information they collect and record much more carefully.
The GDPR legislation is designed to give individuals an assurance that information about them is held securely. Organisations must put in place robust measures to ensure that unauthorised access to personal information is prevented and that employee details are not misused or tampered with.
Organisations must also formally acknowledge that they are responsible for the personal data they hold, and that they are accountable to the individuals concerned if their personal information is misused, or if the measures they have put in place to protect the information are breached in some way.
Organisations will need to gain consent from individuals to hold their personal information (and demonstrate that they have gained consent). Most employees will not have a detailed understanding of the legislation, and it is the responsibility of the organisation to inform employees about the process and about their rights. As part of this process they will need to explain why they need to collect and record this information, and what they plan to do with it.
Note that some record are given elevated status by GDPR, for example health-related records. Explicit consent is required for the processing of health-related information
Within an organisation, personnel information can be recorded in a wide variety of different ways. It is not uncommon to find that an organisation:
All of these records fall within the scope of the protection provided by GDPR.
GDPR requires that, once information is no longer needed (and there is no longer a justification to keep it) it must be deleted from company records. This applies when staff leave the employment of an organisation, but it also applies in other situations too. Note that the legislations dictates that different types of information can be kept for different lengths of time
Furthermore, organisations may wish to keep some information for the purposes of trend-reporting or analysis and in this case it would be necessary to de-personalise the records (so that they could no longer be associated with an individual).
If an individual has serious misgivings about the way the information is recorded or managed, under GDPR, they have the right to request that their personal data is erased from the organisations records. This is normally only the case if they can demonstrate that the organisation does not comply with GDPR in some way.
Some systems will process personal information and select or rate the individuals based on pre-programmed criteria or logic. Where this is done, GDPR ensures that organisations inform individuals that this is the case, and give them the option to opt-out.
Some organisation will now need to appoint a data protection officer to oversee their compliance with GDPR. This individual will be responsible for the implementation of GDPR within the organisation and for providing advice and guidance internally. They will also monitor compliance (and act where appropriate).
A Data Protection Officer is required when the organisation’s core activities are large-scale data processing or when the organisation processes special categories of data (for example, data related to health, religion, race, or sexual orientation) or processes data relating to criminal offences.
GDPR states that any data breaches must be reported to the authorities within 72 hours. This is the responsibility of the organisation who is collecting or recording the information. If employees are likely to suffer as a consequence of the data breach, organisations are also compelled to make a public announcement about the breach.
There are financial penalties that can be levied against organisation who fail to comply with GDPR. Depending on severity, one of two different ranges of penalty may apply. For both, the penalties are significantly higher than those put in place for the Data Protection Act. Breaches deemed to be less significant could lead could to fines of up to €10m or 2% of global annual turnover for the preceding financial year (whichever is greater); for more serious breaches organisations could now be liable for up to €20 million or up to 4% of their annual turnover (whichever is greater).
In addition to the penalties an organisation may face if they are deemed to have mismanaged personal data, GDPR will also enable individuals to sue the organisation for compensation in the event of a data breach (or some other misuse of their personal data). It is therefore important that organisations consider the reasons for recording employee information, and how well this is protected. For example, the information could be made public as a result of a cyber-attack. This could now result in significant financial penalties.