There have been a number of developments later that have and continue to have an impact on managing people. There was the abolishment of the tribunal fees, gig economy workers continuing to establish their status and the next thing coming your way is General Data Regulation Principle (GDRP).
What is GDPR about?
GDPR is a European Directive that looks at data protection. It comes into force in May 2018 and whilst you may sit there and think “Ah, it’s European, we’re heading out of the EU and therefore this won’t matter too much” you’d be wrong. Firstly, we’ll still be part of the EU when it comes into force so therefore you’ll need to comply. Secondly, it could be that this is something the UK adopts even post Brexit and finally, it’s likely that if you wish to do business with any country in Europe then they will look for evidence that you comply with the legislation anyway.
Ignoring this is unlikely to be the best option!
What does GDPR mean for people data?
GDPR categorises data protection into two areas – data protection ‘by design’ and data protection ‘by default’.
- ‘by design’ requires businesses to embed privacy considerations from a day-to-day perspective but also from a strategic view point. So, when you are considering new system implementations and working practices you need to demonstrate that you have assessed the data protection risks and that you have build appropriate safeguards into what you are doing.
- ‘by default,’ requires businesses to ensure that data is processed for only what is required in each individual case – i.e. not requesting lifetime background when the last year will suffice. This will control the data companies collect, the extent to which it is processed and ensure it’s not stored for longer than is necessary – again similar principles to the current DPA – just more refined.
One of the biggest changes that GDPR introduces is consent. Many businesses currently have a clause in their contract that covers Data Protection. It will generally state that the employee gives the employer permission to gather and process personal data. GDPR will not accept this going forward.
GDPR requires data processing consent to be “freely given, informed, specific and explicit”. This means that it will have to be a separate document to the employment contract and there will be a need to provide far more detail as to what information will be captured, how it will be stored, how it will be protected and what it will be used for. Employers will need to have records on how data is processed and a written policy in place which covers the above.
Data Subject Access Requests
At the moment, if you receive a Subject Access Request from an employee you have 40 days in which to respond and can make a charge of a maximum of £10 for providing the information. GDPR will change this. You will no longer be able to charge a fee and will usually be expected to provide the data in 30 days which may extend to 90 days in complex cases.
What you should be doing now
Here are some action points for you and your management team to ensure you start moving towards being compliant with GDPR:
- If it’s not already on your agenda then make sure it starts to feature. You need to be planning as, whilst this article focuses on the impact of GDPR on how you deal with employee information, it’s likely to touch many other areas of your business. You should make sure you know enough about the regulations to ensure that not only is HR compliant but also finance and marketing and customer service functions. t
- Identify data controller(s) or whether you need a Data Protection Officer;
- Conduct an initial risk assessment – key question will you be meeting GDPR compliance? Is the data you process in line with this? Why (reasoning) are you processing it – is this sufficient?
- Get a compliance time line in place so that you are ready to “ROCK N ROLL!!”
The requirements for GDPR continue to involve and here’s a link to the ICO website to help you to keep track of the developments. We are running a GDPR workshop in January 2018 and you can sign up to this here. You can also give us a call on 0203 319 1649 if you’d like to discuss the impact on your business in more detail.