It’s impossible to have escaped the fact that next year, new stricter rules on data protection will come into force that will introduce more stringent rules on how companies handle personal data.
The General Data Protection Regulation (GDPR) will replace the current Data Protection Act. From 25 May 2018, GDPR will change how organisations store and use personal data, and, of course, this will have significant consequences for HR.
Objectives of GDPR
The GDPR makes some significant changes to data protection, including giving individuals more rights relating to their own data. There has been a substantial increase in sanctions in the event of non-compliance with fines of up to either €20,000,000 or 4% of global turnover – whichever is higher.
How will this affect HR?
It can often be difficult to strike a balance between privacy of an individual, and the tasks that employers need to carry out. Here are the key areas that the new regulations will impact on the way HR holds data.
1. Data retention
Organisations should only keep personal data for as long as is necessary, and for the purpose for which it was obtained. Therefore, the details of unsuccessful job applicants should be removed following the end of the recruitment process, unless a candidate has given their explicit consent for the organisation to hold onto it. Also, employers should only keep limited data relating to employees who leave. This will impact the offboarding procedures as these will need to include ‘prune employee data’ as part of the exit process.
2. Targeted information only
Employers will only be able to request data from potential employees where necessary. For any other data, they will need to obtain the explicit permission of the individual. HR will need to take a critical look at the information they hold to make a proper assessment.
3. Demonstrate transparency and accountability
Employers must provide details of how and where they store and process employee data. They should ensure that their employees know that they can access their data by making a “Subject Access Request” (SAR) As from next year, these will be free of charge (unless the amount of data requested is unreasonably large) – the previous maximum administration fee of £10 will no longer apply. Once the new rules come into force, companies must prove that they comply with GDPR.
4. Data only used for the intended purpose
Employers may only use the information for the purpose for which they originally requested it. Personal information should not be stored for future use without permission, which could impact on future recruitment.
5. Data security
One of the main goals of the GDPR is to ensure the protection of personal data.
• Internal access: access to confidential employee information should be on a “need to know” basis. Working closely with IT will become crucial to finding the correct balance between storing data and protecting it from outside threats.
• External access: where employers sub-contract the processing of data, they must choose a provider that offers satisfactory guarantees of data security.
Start your GDPR preparations today.
GDPR will have a huge impact on nearly every aspect of a business. For HR teams, it will require them to review many of their policies and procedures. With the clock counting down to the regulations coming into force, it’s crucial that preparations get underway. Failure to act could result in considerable financial penalties.