From 25 May 2018 the General Data Protection Regulation will apply in the UK. Before this date all businesses and organisations will need to review and update how they collect, store, use and delete personal information.
Employers will be required to ensure that all its processing is being conducted in compliance with the new data laws. Consequently, a good starting point for all employers and HR is to undertake a data protection impact assessment (also known as a privacy impact assessment) of how data is processed and shared within the business. By carrying out this assessment an employer or HR should be able to identify:
- The specific purposes for which the personal data is being processed;
- Whether the data being collected is adequate, relevant and limited to what is necessary and proportionate to the purpose for which the data was collected;
- What steps need to be put in place to prevent the risk of unauthorised processing and breaches of the data subjects’ rights.
It should be noted that after 25 May 2018, in certain circumstances it will become mandatory for businesses to carry out this assessment. The precise steps that each business ought to take, to ensure compliance with the new laws will be determined by the outcomes of each assessment. To comply with their obligations under GDPR, employers will need to put in place different policies. This will include policies to explain the purpose and lawful reason for processing personal data, and also how they intend to process and dispense with that data.
As a starting point below is a list of a few policies which may need to be either created or amended following the data protection assessment.
Recruitment and selection
- A privacy notice should be sent to applicants explaining how you will use and store the personal data collected through the application process. If you propose to transfer their data to third parties or to other countries you will need to include this information and explain the safeguards you have put in place to comply with the requirements of this under GDPR. The applicant should also be made aware in clear terms of the circumstances in which they can exercise their right to access the data, request deletion, or rectification of the data.
- If you are using the services of a recruitment agency a contract should be in place between you the hirer and the agency explaining how the applicant’s personal data will be processed.
- References should usually only be pursued once the applicant have been offered a role. Consequently, it may be necessary for a separate privacy notice to be sent to the successful applicant explaining how you will process the reference and data pertaining to other checks (e.g. disclosure and barring).
- Check contracts of employment to see whether you have previously requested “consent” to process personal data. Previous consents are likely to be deemed invalid and non-compliant, as it is unlikely that these consents were given freely as they are usually tied into an imbalance of power existing between the employee and employer, (i.e. sign or be fired).
- As an alternative to “blanket consent”, privacy notices should be put in place, detailing the purpose and the lawful basis for the processing. Depending on the purpose this might be that you have a legitimate interest, that you’re fulfilling a legal obligation or your obligations under the contract of employment.
- For example, a privacy notice should be provided to the employee in relation to the processing of payroll and statutory sick pay. In that notice the employer could refer to its legal obligation to report pay issues to HMRC as the legitimate reason for processing. If this process is outsourced the employee should be made aware of this fact and the employer should check that the third party is processing the data in compliance with the new law.
- Check all handbooks and standalone policies to ensure that they contain, where necessary, the appropriate privacy notices.
- The individual can make a data subject access request, at any stage, so you should have in place a clear policy as to how this will be managed to ensure compliance with GDPR.
- Data protection impact assessments should be carried out whenever new technology or systems of processing are proposed.
- Specific consent should be sought from the employee before obtaining a medical or occupational report. If you are processing this type of personal data you must not only provide the purpose and the lawful basis but you must also provide an additional condition for processing.
- Where consent is obtained, employees should be made aware of how that consent can be withdrawn.
- If you receive a request for a reference, in providing the reference you will still be processing personal data. Before responding to a request, it is advisable to seek the written consent of the individual that they agree to you providing the reference.
- A policy detailing the timeframe for the retention of personal data should also be in place. Bearing in mind that payroll data should be kept for a longer period than say details relating to a disciplinary record.
As always, if you have a legal query please get in touch with the FSB Legal Helpline on 0345 0727727 and we'll be happy to assist you.